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Abstract 

The main aim of this paper is to promote a certain style of doing coinductive proofs, 
similar to inductive proofs as commonly done by mathematicians. For this purpose we 
provide a reasonably direct justification for coinductive proofs written in this style, i.e., 
converting a coinductive proof into a non-coinductive argument is purely a matter of routine. 
Our main interest is in applying this coinductive style of arguments in infinitary lambda- 
calculus. 

In the second part of the paper we present a new coinductive proof of confluence of Bohrn 
reduction in infinitary lambda-calculus. The proof is simpler than previous proofs of this 
result. The technique of the proof is new, i.e., it is not merely a coinductive reformulation 
of any earlier proofs. 
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1 Introduction 


In its basic and most common form, coinduction is a method for reasoning about the greatest 
fixpoints of monotone endofunctions on V{A) for some set A. Induction in turn may be seen as 
a way of reasoning about the least fixpoints of monotone endofunctions. 

Let F : V{A) —> V(A) be monotone. By the well-known Knaster-Tarski fixpoint theorem, 
the least fixpoint /r F and the greatest fixpoint uF of F exist and may be characterized as 

fiF = P){X € V(A) | F(X) C X} 


uF = € V{A) | X C F(X)}. 


This yields the following proof principles 


F(X) C X 
/iF C X 


(IND) 


X C F(X) 
X C VF 


(COIND) 


where X e V{A). The rule (COIND) is commonly used as the principle underlying coinductive 
proofs. However, this rule is arguably sometimes inconvenient to apply directly. Ordinar¬ 
ily, when doing inductive proofs mathematicians do not directly employ the dual rule (IND), 
explicitly providing the set X and calculating F(X). Nor do they think in terms of (IND). 
Instead, they show an inductive step, using the inductive hypothesis with parameters smaller in 
an appropriate sense. There is a common understanding when an inductive proof is correct. In 
ordinary mathematical practice, nobody bothers with arguing each time that an inductive proof 
is indeed a valid application of some formal induction principle. Induction is well-understood, 
and it is sufficient for everyone that an inductive proof may be formalized “in principle”. 

In contrast to induction, coinduction is not so well-established and usually not trusted in 
the same way. One aim of this paper is to promote and provide a reasonably direct justification 
for a certain style of doing coinductive proofs: showing a coinductive step using a coinductive 
hypothesis. As such, the first part of the paper (Section 0]) has a flavour of a tutorial with more 
space devoted to examples than to mathematical results. 

From the point of view of someone well-acquainted with coinduction, the results of Section 2] 
are probably not very insightful. They are known “in principle” to people studying coinduction. 
However, the author believes that there is a need to present coinductive techniques in a way ac¬ 
cessible to a broad audience, giving simple criteria to verify the correctness of coinductive proofs 
and corecursive definitions without being forced to reformulate them too much to fit any formal 
principles. Our style of writing coinductive proofs is similar to how such proofs are presented 
in e.g. [321 El EM 05], but we justify them by direct reduction to transfinite induction. This 
seems to provide a more approachable correctness criterion for someone not well-acquainted 
with infinite proofs in type theory [2(1, 33]. Our method for justifying (non-guarded) corecur¬ 
sive definitions usually boils down to solving some recursive equations in natural numbers. The 
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coalgebraic approach to coinduction [Ml El] is perhaps more abstract and conceptually satisfy¬ 
ing, but not so straightforward to apply directly. Even the rule (COIND) is rather inconvenient 
in certain more complex situations. 

The mathematically novel result of this paper is contained in Section [5] where, as an illustra¬ 
tion of the coinductive techniques from Section 21 we give a new coinductive proof of confluence 
of Bohrn reduction in infinitary lambda-calculus, i.e., of infinitary /3_L-reduction where terms re¬ 
duce to _L when they have no head normal form. We consider reductions on arbitrary infinitary 
lambda-terms, not only on A 001 -terms like in [32], though this is not a big difference because 
all terms not in A 001 reduce to _L anyway. Similar confluence results (with different sets of 
terms or different notions instead of head normal form) were obtained in [381139] . See also (591 
Chapter 12]. However, our coinductive proof is simpler than [39], or even than the recent [21]. 
Moreover, the strategy of the proof is new, unlike in m where a coinductive confluence proof 
was given following the general strategy of [39] . Our proof strategy bears some similarity to the 
proof of the unique normal forms property of orthogonal iTRSs in [31], but only on a very high 
level. 

1.1 Related work 

Coinduction and corecursion are by no means new topics. We do not attempt here to provide 
an extensive overview of existing literature. We only mention the pioneering work of Aczel 
on non-well-founded set theory [3], the final coalgebra theorem of Aczel and Mendler [5], the 
subsequent work of Barr [13], and the work of Rutten m providing coalgebraic foundations 
for coinduction. A historical overview of coinduction may be found in [52]. An elementary 
introduction to coinduction and bisimulation is [53 ]. For a coalgebraic treatment see e.g. [36, 51]. 

Our approach in Section ITTI is largely inspired by the work of Sijtsma [57] on productivity of 
streams, and the subsequent work on sized types [mEunnsuM]. In fact, the central Corollary 14. 81 
is a generalization of Theorem 32 from m- In contrast to the work on sized types, we are not 
interested in this paper in providing a formal system, but in explaining corecursion semantically, 
in terms of ordinary set theory. Related is also the work on productivity of streams and infinite 
data structures [M123 IMl EH ED HSUSB] , and some of the examples in Section 14.21 are taken 
from the cited papers. Productivity was first mentioned by Dijkstra [26]. The articles [20 4 333 
investigate guarded corecursive definitions in type theory. The chapters mm are a practical 
introduction to coinduction in Coq. The paper [21 ] was to a large extent a motivation for writing 
the present paper. The article [35] has a similar aim to the present paper, but its approach 
is quite different. Our style of presenting coinductive proofs is similar to how such proofs are 
presented in e.g. [IS El (MSS 05] • 

Infinitary lambda-calculus was introduced in [39, 38]. Results closely related to the con¬ 
fluence result of this paper were already obtained in [39] > by a different proof method. See 
also [591EUMJ for an overview of various results in infinitary lambda-calculus and infinitary 
rewriting. 

Joachimski in [37] gives a coinductive confluence proof for infinitary lambda-calculus, but 
Joachimski’s notion of reduction does not correspond to the standard notion of a strongly 
convergent reduction. Essentially, it allows for infinitely many parallel contractions in one 
step, but only finitely many reduction steps. The coinductive definition of infinitary reductions 
capturing strongly convergent reductions was introduced in [32]. Later [29] generalized this 
to infinitary term rewriting systems. In [21] using the definition from [32] the confluence of 
infinitary /3_L-reduction with T-contractions of root-active subterms was shown coinductively. 
The proof in [21] follows the general strategy of J39[ 38]. The proof in the present paper bears 
some similarity to the proof of the unique normal forms property of orthogonal iTRSs in [33], 
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Some other papers related to the methods of the present work are mmmmmmm 
There are three well-known variants of infinitary lambda-calculus: the A 111 , A 001 and A 101 
calculi HaGSHGElEBI. The superscripts 111, 001, 101 indicate the depth measure used: abc 
means that we shall add a/b/c to the depth when going down/left/right in the tree of the 
lambda-term [ 391 Definition 6]. We essentially consider the A 001 -calculus, but with A m -terms. 
In other words, the T-rules reduce terms with no head normal form, but we do not restrict the 
set of considered terms to A 001 . This does not make much difference, because terms not present 
in A 001 have no head normal form and thus reduce to _L anyway. 

In the A 001 -calculus, after addition of appropriate T-rules, every finite term has its Bohm 
tree [38] as the normal form. In A 111 and A 101 , the normal forms are, respectively, Berarducci 
trees and Levy-Longo trees [391138] , With the addition of infinite rj- or r^-reductions it is possible 
to also capture, repsectively, r/-Bohm or oor/-Bohm trees as normal forms [5¥, 55]. 

2 A crash-course in coinduction 

In this section we give an elementary explanation of most common coinductive techniques. This 
is generalised and elaborated in more detail in Section 0] Some of the examples, definitions and 
theorems from the present section are leater repeated and/or generalised in Section [4] This 
section strives to strike a balance between generality and ease of understanding. The explanation 
given here treats only guarded corecursive definitions and only guarded proofs, but in practice 
this suffices in most cases when using coinduction in the context of infinitary lambda-calculus. 

2.1 Infinite terms and corecursion 

In this section we define many-sorted coterms. We also explain and justify guarded corecursion 
using elementary notions. 

Definition 2.1. A many-sorted algebraic signature £ = (£ s ,£ c ) consists of a collection of sort 
symbols £ s = {sAe/ and a collection of constructors £ c = {cjjjeJ- Each constructor c has an 
associated type r(c) = (si,..., s n ; s ) where si,..., s n , s £ £ s . If r(c) = (; s ) then c is a constant 
of sort s. In what follows we use £, £', etc., for many-sorted algebraic signatures, s, s', etc., for 
sort symbols, and f,g,c,d, etc., for constructors. 

The set T°°(£), or just T(£), of coterms over £ is the set of all finite and infinite terms 
over £, i.e., all finite and infinite labelled trees with labels of nodes specified by the constructors 
of £ such that the types of labels of nodes agree. More precisely, a term t over £ is a partial 
function from N* to £ c satisfying: 

• f(e)|, and 

• if t{p) = c € £ c with r(c) = (si,..., s n ; s) then 

— t(pi) = d £ £ c with r(d) = (s[,..., s' m . \ s*) for i < n, 

— t{jpi )t for i > n, 

• if t(p )t then t(pi )| for every * £ N, 

where t(p )t means that t(p) is undefined, t(p)f means that tfp) is defined, and e G N* is the 
empty string. We use obvious notations for coterms, e.g., f(g(t,s),c ) when c,f,g £ £ c and 
t,s £ T(£), and the types agree. We say that a term t is of sort s if t(e) is a constructor of 
type (si,..., s n ; s) for some si,..., s n £ £ s . By 7/(£) we denote the set of all terms of sort s 
from T(£). 
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Example 2.2. Let A be a set. Let £ consist of two sorts s and t), one constructor cons of type 
(0,s;s) and a distinct constant a € A of sort D for each element of A. Then 7s(£) is the set 
of streams over A. We also write 7^(£) = and 7 d(£) = A. Instead of cons (a,t) we usually 
write a : t, and we assume that : associates to the right, e.g., x : y : t is x : (y : t). We also use 
the notation x : t to denote the application of the constructor for cons to x and t. We define 
the functions hd : A u —> A and tl : A u —> A u by 

hd(a : t) = a 
tl(a : t) = t 

Specifications of many-sorted signatures may be conveniently given by coinductively interpreted 
grammars. For instance, the set A u of streams over a set A could be specified by writing 

A“ :: = cons (A,A W ). 

A more interesting example is that of finite and infinite binary trees with nodes labelled either 
with a or b, and leaves labelled with one of the elements of a set V: 

T :: = V || a(T, T) || b(T,T). 

As such specifications are not intended to be formal entities but only convenient visual means for 
describing sets of coterms, we will not define them precisely. It is always clear what many-sorted 
signature is meant. 

For the sake of brevity we often use T = T(£) and T s = T S (T,), i.e., we omit the signature £ 
when clear from the context or irrelevant. 

Definition 2.3. The class of constructor-guarded functions is defined inductively as the class 
of all functions h : T™ —>• %' (for arbitrary m £ N, s, s' € £ s ) such that for every x € S there 
are a constructor c of type (si,..., s&; s') and functions U{ : T™ —>• T Si (i = 1,..., k) such that 

.,y m ) = c(ui(yi,.. .,y m ), ■ ■ -,u k (yi,.. .,y m )) 

for all yi, ..., y m G %, and for each i = 1 ,..., k one of the following holds: 

• U{ is constructor-guarded, or 

• Ui is a constant function, or 

• Si = s and there is 1 < j < m with Ui(yi ,..., y m ) = yj for all yi,..., y m € T s . 

Let S be a set. A function h : S x 77" —> T s ' is constructor-guarded if for every x G S the 
function h x : T™ T s > defined by h x (y\,..., y rn ) = h(x, y±,..., y m ) is constructor-guarded. A 
function / : S —> T s is defined by guarded corecursion from h : S x 77" —> % and y* : S —> S 
(i = 1,..., m) if h is constructor-guarded and / satisfies 

f(x) = h{x,f(gi(x)),... ))) 


for all x G S'. 

The following theorem is folklore in the coalgebra community. We sketch an elementary 
proof. In fact, each set of many-sorted coterms is a final coalgebra of an appropriate set- 
functor. Then Theorem 12.41 follows from more general principles. See e.g. [36, 51j for a more 
general coalgebraic explanation of corecursion. 
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Theorem 2.4. For any constructor-guarded function h : S x Ff n —> T s and any gi : S —> S 
(i = 1,..., m), there exists a unique function f : S —>• T s defined by guarded corecursion from h 
and g \,..., g m . 

Proof. Let /o : S —> T s be an arbitrary function. Define f n +i for n G N by f n+ i(x) = 
h(x, f n (gi(x)),..., f n (g m (x))). Using the fact that h is constructor-guarded, one shows by 
induction on n that: 

(*) f n +i(x)(p) = f n {x)(p) for x £ S and p G N* with \p\ < n 

where \p\ denotes the length of p. Indeed, the base is obvious. We show the inductive step. Let 
x £ S. Because h is constructor-guarded, we have for instance 

fn+ 2 (x) = h(x, f n+ i(gi(x)),... , fn+i(g m (x))) = ci(c 2 , c 3 (w, f n+1 {gi(x)))) 

Let p € N* with \p\ < n. The only interesting case is when p = lip', i.e., when p points 
inside f n +\{g\{x)). But then \p'\ < \p\ < n, so by the inductive hypothesis f n+ i(gi(x))(p') = 
fn(gi(x)){p'). Thus f n+2 {x){p) = fn+l{9l(x))(jj) = fn{gi{x)){p') = f n+1 {x){p). 

Now we define / : S —> T s by 

f{x){p) = f\ P \+i(x)(j>) 

for x € S, p G N*. Using (★) it is routine to check that f(x) is a well-defined coterm for each 
x £ S. To show that / : S —> T s is defined by guarded corecursion from h and gi,... ,g m , 
using (*) one shows by induction on the length of p € N* that for any x € S: 

f(x)(p) = h(x,f(gi{x)),.. ■, f{g m (x)))(p). 

To prove that / is unique it suffices to show that it does not depend on /o. For this purpose, 
using (★) one shows by induction on the length of p £ N* that f(x)(p) does not depend on /o 
for any x £ S. □ 


We shall often use the above theorem implicitly, just mentioning that some equations define 
a function by guarded corecursion. 

Example 2.5. Consider the equation 

even(x : y : t) = x : even (t) 


It may be rewritten as 

even(t) = hd(t) : even(tl(tl(f))) 

So even : A u A u is defined by guarded corecursion from h : A u x A u —>• A u given by 

h(t , t') = hd {t) : t' 


and g : A u —> A u given by 


g(t) = tl(tl(f)) 

By Theorem 12.41 there is a unique function even : A l w —>■ A u satisfying the original equation. 
Another example of a function defined by guarded corecursion is zip : A u x A u —> A^: 

zip(x : t,s) = x : zip(s, t) 


The following function merge : x — > N w is also defined by guarded corecursion: 


merge(x :h,y :t 2 ) 


x : merge(U, y ■ t 2 ) if x < y 
y : merge(x : t\, t 2 ) otherwise 
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2.2 Coinduction 


In this sectioiu we give a brief explanation of a certain style of writing coinductive proofs. This 
style is perhaps not completely standard, but it is similar to how such proofs are presented in 
e.g. m m Ea mm- However, in contrast to some of these papers, we do not claim that 
our proofs are a paper presentation of proofs formalised in a proof assistant (though they could 
probably be formalised in such a system). 

There are many ways in which our coinductive proofs could be justified. With enough 
patience one could, in principle, reformulate all proofs to directly employ the usual coinduction 
principle in set theory based on the Knaster-Tarski fixpoint theorem |53j . Whenever proofs 
and corecursive definitions are guarded one could formalise them in a proof assistant based on 
type theory with a syntactic guardedness check, e.g., in Coq HUES]. Non-guarded proofs could 
probably be formalised in recent versions of Agda with sized types e Ha- Perhaps the 
most straightforward, but maybe not the foundationally nicest, way of justifying our proofs is 
by reducing coinduction to transfinite induction, as outlined below. 

Example 2.6. Let T be the set of all finite and infinite terms defined coinductively by 

T :: = V || A(T) || B(T,T) 

where V is a countable set of variables, and A, B are constructors. By x, y, ... we denote 
variables, and by t, s,... we denote elements of T. Define a binary relation ->onT coinductively 
by the following rules. 

_ t — y f/ _ s —^ s' t — y t r /... _ t —y t f _ 

x —> x (1) A(t) —>• A{t') ^ B(s,t) —>■ B(s',t') A(t) —► B(t' ,t') 

Formally, the relation —>• is the greatest fixpoint of a monotone function 

F : V({)T xI)-> V(QT x T) 


defined by 


F(R) = {{h,t 2 ) | 3 xeV (h = t 2 = x)\J 3 t ,t’eT(h = A(t) A t 2 = B(t',t') A R(t,t')) V ...} . 


Alternatively, using the Knaster-Tarski fixpoint theorem, the relation —> may be charac¬ 
terised as the greatest binary relation on T (i.e. the greatest subset of T x T w.r.t. set inclusion) 
such that C i.e., such that for every ti,t 2 € T with t\ t 2 one of the following holds: 

1. t\ = t '2 = x for some variable x £ V, 

2. t\ = A(t), t 2 = A(t') with t — > t'. 

3. t\ = B(s,t), t ‘2 = B(s',t') with s —> s' and t —> t', 

4. t\ = A(t), t 2 = B(t',t') with t — > t'. 

Yet another way to think about —> is that t\ —>■ t 2 holds if and only if there exists a potentially 
infinite derivation tree of t± —> t 2 built using the rules (1) — (4). 

The rules (1) — (4) could also be interpreted inductively to yield the least fixpoint of F. This 
is the conventional interpretation, and it is indicated with a single line in each rule separating 
premises from the conclusion. A coinductive interpretation is indicated with double lines. 

The greatest fixpoint —> of F may be obtained by transfinitely iterating F starting with TxT. 
More precisely, define an ordinal-indexed sequence (—> a ) Q by: 

lr This section is largely based on 1221 Section 2]. 
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• ->°= T x T) 

• ->- a + 1 = 

• —» A = Hq<a “for a li m it ordinal A. 

Then there exists an ordinal £ such that —> = —The least such ordinal is called the closure 
ordinal. Note also that — > a C — yd for a > f3 (we often use this fact implicitly). See Section [3] 
below. The relation —> a is called the a-approximant of —or the approximant of —» at stage a. 
If t —> a s then we say that t s (holds) at (stage) a. Note that the a-approximants depend 
on a particular definition of —> (i.e. on the function F), not solely on the relation —>• itself. 

It is instructive to note that the coinductive rules for —> may also be interpreted as giving 
rules for the a + 1-approximants, for any ordinal a. 


x 


v.a+1 


(1) 


t' 


Alt) 


ia+1 


Alt') 


( 2 ) 


S — s' t —> a t' /Q\ 

B(s,t) ~^ a+1 B(s',t') 


t ~^ a t' 

Aft) ~^ a+1 B(t',t 



Usually, the closure ordinal for the definition of a coinductive relation is oj. In general, 
however, it is not difficult to come up with a coinductive definition whose closure ordinal is 
greater than oj. For instance, consider the relation ECNU {oo} defined coinductively by the 
following two rules. 

R{n) n £ N 3n G N .R(n) 

R(n + 1) R( oo) 

We havcH R = 0, R n = {m € N | m > n} U {oo} for n £ N, R u = {oo}, and only R^ +1 = 0. 
Thus the closure ordinal of this definition is ui + 1. 

Usually, we are interested in proving by coinduction statements of the fonrH 


'iflRi, .. .,R m ) = Vxi. ..x n .tp{x) -> Ri(gi{x), .. .,g k {x)) A ... A R m {gi{x), .. .,g k (x)). 

Statements with an existential quantifier may be reduced to statements of this form by skolem- 
izing, as explained in Example 12.81 below. 

To prove if(Ri, ■ ■ ■, R m ) it suffices to show by transfinite induction that ip(Rf, ■ ■ ■, R^f) holds 
for each ordinal a < (, where Rf is the a-approximant of Ri. The reader may easily check that 
because of the special form of if and the fact that R 9 is the full relation, the base case a = 0 
and the cases of a a limit ordinal are trivial. Hence it remains to show the inductive step for a 
a successor ordinal. It turns out that a coinductive proof of if may be interpreted as a proof 
of this inductive step for a successor ordinal, with the ordinals left implicit and the phrase 
“coinductive hypothesis” used instead of “inductive hypothesis”. 

Example 2.7. On terms from T (see Example 12.(ill we define the operation of substitution by 
guarded corecursion. 

y[t/x\ = y if x^y (H(s))[t/x] = A{s[t/x\) 

x[t/x} = t (Bls 1 ,s 2 ))[t/x] = B(si[t/x\,s 2 [t/x]) 

2 We use R a for the a-approximant of R. 

' ! Here ip(x) is a statement/formula (whatever it means) with only xi,... ,i„ occuring free. We believe that 
for explanatory purposes it is not necessary to make this any more precise. In general, we abbreviate xi,... ,x n 
with x. The symbols Ri,...,Rm stand for coinductive relations on T, i.e., relations defined as the greatest 
fixpoints of some monotone functions on the powerset of an appropriate cartesian product of T. The sym¬ 
bols gi,...,g k denote some functions of x. The statement tp may contain Ri,...,R m , but their occurences 
in ip are not affected by substituting different relations in ip, e.g., if ip(R) = Vhg t-R(x) —> R(g(x)) then 
ip(S) = M xeT .R{x) ->• S{g{x)). 
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We show by coinduction: if s —> s' and t —> t' then s[t/x\ —> s'[t'/x\, where —> is the relation 
from Example 12.81 Formally, the statement we show by transfinite induction on a < ( is: for 
s,s',t,t' € T, if s —> s' and t —> t' then s[t/x\ —> a s'[t'/x\. For illustrative purposes, we indicate 
the ce-approximants with appropriate ordinal superscripts, but it is customary to omit these 
superscripts. 

Let us proceed with the proof. The proof is by coinduction with case analysis on s —> s'. If 
s = s' = y with y ^ x, then s[t/x\ = y = s'[t'/x\. If s = s' = x then s[t/x\ = t —>“ +1 t' = s'[t'/x\ 
(note that — > = — C —> Q+1 ). If s = A(si), s' = A^) and si —> s^, then s\[t/x] —> a s'^t'/x\ by 
the coinductive hypothesis. Thus s[t/x\ = A(s\[t/x\) A(s' l [t'/x\) = s'[t'/x\ by rule (2). 

If s = B(si,S 2 ), s' = 15 ( 5 ^, 52 ) then the proof is analogous. If s = ^4(si), s' = B^s^^s^) 
and si — > s[, then the proof is also similar. Indeed, by the coinductive hypothesis we have 
si[f/x] —> a s'Jt'/x], so s\t/x\ = ^4(si[t/®]) —>-“ +1 B(s' 1 [t'/x\, s'^t'/x\) = s'[t'/x\ by rule (4). 

The reduction of coinduction to transfinite induction outlined here gives a simple criterion to 
check the correctness of coinductive proofs, using established principles. However, it is perhaps 
not the best way to understand coinduction intuitively. The author’s intuition is that, in the 
context of the present paper, coinduction formalises the “and so on” arguments quite common 
when informally explaining proofs of properties of infinite discrete structures@ Such intuitions 
are necessarily vague and can only be shaped through experience. 

With the following example we explain how proofs of existential statements should be in¬ 
terpreted. 

Example 2.8. Let T and —> be as in Example 12.61 We want to show: for all s,t,t' £ T, if 
s —> t and s —^ t' then there exists s' G T with t —>• s' and t' —> s'. The idea is to skolemize this 
statement. So we need to find a Skolern function / : T 3 — > T which will allow us to prove the 
Skolem normal form: 

(*) if s —> t and s —> t' then t —> f(s , t, t') and t' —> f(s , t , t'). 

The rules for —> suggest a definition of /: 


f(x,x,x ) 
f(A(s),A(t),A(t')) 
f(A(s),A(t),B(t',t')) 
f(A(s),B(t,t),A(t')) 
f(A(s),B(t,t),B(t',t')) 
f(B(s u s 2 ), B(t 1 ,t 2 ), Bfti,^)) 
f(s,t,t') 


B(f(s 1 ,tl,t , 1 ),f(s 2 ,t2,t , 2 )) 

some arbitrary term if none of the above matches 


This is a definition by guarded corecursion, so there exists a unique function / : T 3 —> T 
satisfying the above equations. 

We now proceed with a coinductive proof of (*). Assume s —> t and s —> t'. If s = t = t' = x 
then f(s,t,t') = x, and x —> x by rule (1). If s = A(si), t = A{t\) and t' = A(t \) with si t\ 
and si —>• t\. then by the coinductive hypothesis t\ —> f(s\, t\, t\) and t\ —> f(siAiA'i)- We have 
f{s,t,t') = A(f(s\,ti,t'i)). Hence t = A(ti) and t = A(t[) ->• f(s,t,t '), by rule (2). 

If s = I?(si, S 2 ), t = B(ti,t 2 ) and t' = B^t'^t^), with si t±, si —> t ,\, s 2 —> t 2 and s 2 —> t' 2 , 
then by the coinductive hypothesis we have t± —> f(s\, t\, t^), t\ f(s\, t\, t^), t 2 —> f(s 2 ,t 2 ,t' 2 ) 
and t’ 2 f(s 2 ,t 2 ,t' 2 ). Hence t = B(ti,t 2 ) -J- B(f(si,t 1 ,t' 1 ),f(s 2 ,t 2 ,t , 2 )) = f(s,t,t') by rule (3). 

Analogously, t' —> /(s,t,t') by rule (3). Other cases are similar. 

4 How does one show that a Bohm tree M of a finite lambda-term does not contain /?-redexes? If M = _L then 
it is obvious. Otherwise M = Axi... x n :yM\ ... Mm does not contain /i-redexes, except perhaps in Mi,..., M m . 
And so on, we continue the argument for Mi,..., M m . 
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Usually, it is inconvenient to invent the Skolem function beforehand, because the definition 
of the Skolem function and the coinductive proof of the Skolem normal form are typically 
interdependent. Therefore, we adopt a style of doing a proof by coinduction of a statement 

ip(Ri: ■ ■ ■ ) Rm) = V Xl r .. ) x„ 6 T • six) ^ 

3 yeT .Ri(gi(x),.. .,g k (x),y) A ... A R m {g 1 {x),.. .,g k (x),y) 


with an existential quantifier. We intertwine the corecursive definition of the Skolem function / 
with a coinductive proof of the Skolem normal form 

Vxi,...,x„eT ■ <p(x) —► 

Ri(gi(x), • • .,gk(x),f(x)) A ... A Rm(gi(x),..■ ,g k (x),f(x)) 


We pretend that the coinductive hypothesis is ip(Rf, ..., R " ). Each element obtained from the 
existential quantifier in the coinductive hypothesis is interpreted as a corecursive invocation 
of the Skolem function. When later we exhibit an element to show the existential subformula 
of ^( J R“ +1 ,..., J R“ +1 ), we interpret this as the definition of the Skolem function in the case 
specified by the assumptions currently active in the proof. Note that this exhibited element may 
(or may not) depend on some elements obtained from the existential quantifier in the coinductive 
hypothesis, i.e., the definition of the Skolem function may involve corecursive invocations. 

To illustrate our style of doing coinductive proofs of statements with an existential quantifier, 
we redo the proof done above. For illustrative purposes, we indicate the arguments of the Skolem 
function, i.e., we write s' stt , in place of These subscripts s,t,t' are normally omitted. 

We show by coinduction that if s 


t and s —>• t' then there exists s' € T with t —>• s' and 


t' 


Assume 


t and s — y t' . If s = t = t' = x then take 


t = A(fi^and t' = A(t \) 
with t\ 


J x,x,x 


= X. 


If S = A(si), 


we 


obtaiiJl 
t = A(t[) 

t = B{t\,t 2 ) and t' = B(t\ ,t' 2 ), with si 
coinductive hypothesis we obtain s 


with si —>• t\ and si —> t\ , then by the coinductive hypothesis 


' . and t\ —>• s' 

Si ,t 1 ,t\ 1 


S!,t 1 ,t , 1 

■ A(s^ ti t ,), by rule (2). Thus we may take s' 


ti, 


Hence t = ^(*l) 
= A(s' . ) 

si —> t\ , s 2 —> t-z and S 2 




and 


’S2,t2,t' 2 


with 1 1 




A 


* A ( s 'sututO and 
If s = 5 (si,s 2 ), 

► t' 2 , then by the 
s 'si,tut'S h 


by rule (3). Analogously, 


8 > s 2 .t 2 .t ' 2 and A S 's 2 ,t2,t' 2 - Hence t = B ^ t A) “>■ B ( S 'sutut'S°S2,t2,t'r 
t' -»■ B ( S 'sutl,t'S S 's2,t2,tO by mle ThUS We may take = B ( S 'sutut'S S 's2,t2,tO- 0ther CaSeS 


are similar. 

It is quite clear that the above proof, when interpreted in the way outlined before, implicitly 
defines the Skolem function /. It should be kept in mind that in every case the definition of 
the Skolem function needs to be guarded. We do not explicitly mention this each time, but 
verifying this is part of verifying the proof. 


In practice, when doing proofs by coinduction the following simple but a bit informal criteria 
need to be kept in mind. 

• When we conclude from the coinductive hypothesis that some relation R(t \,... , t n ) holds, 
this really means that only its approximant R a (ti ,..., t n ) holds. Usually, we need to infer 
that the next approximant i?“ +1 (si,..., s n ) holds (for some other elements s±,...,s n ) 
by using R a (ti,... ,t n ) as a premise of an appropriate rule. But we cannot, e.g., in¬ 
spect (do case reasoning on) R a (ti,... ,t n ), use it in any lemmas, or otherwise treat it 
as R(t i ,..., £ 7 ,,). 

5 More precisely: by corecursively applying the Skolem function to si,ti,t'i we obtain ti t ,, and by the 
coinductive hypothesis we have ti ti t , and ti —> ti t , . 
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• An element e obtained from an existential quantifier in the coinductive hypothesis is not 
really the element itself, but a corecursive invocation of the implicit Skolem function. 
Usually, we need to put it inside some constructor c, e.g. producing c(e), and then ex¬ 
hibit c(e) in the proof of an existential statement. Applying at least one constructor to e 
is necessary to ensure guardedness of the implicit Skolem function. But we cannot, e.g., 
inspect e, apply some previously defined functions to it, or otherwise treat it as if it was 
really given to us. 

• In the proofs of existential statements, the implicit Skolem function cannot depend on the 
ordinal a. However, this is the case as long as we do not violate the first point, because if 
the ordinals are never mentioned and we do not inspect the approximants obtained from 
the coinductive hypothesis, then there is no way in which we could possibly introduce a 
dependency on a. 

Equality on coterms may be characterised coinductively. 

Definition 2.9. Let E be amany-sorted algebraic signature, as in Definition ^. 11 Let T = T(S). 

Define on T a binary relation = of bisimilarity by the coinductive rules 

ti — si ... t n — s n 
f (tl, ... ,t n ) = f(si,...,s n ) 


for each constructor / € E c . 

It is intuitively obvious that on coterms bisimilary is the same as identity. The following 
easy proposition makes this precise. 

Proposition 2.10. For t,s € T we have: t = s iff t = s. 

Proof. Recall that each term is formally a partial function from N* to E c . We write t(p) ~ s(p) 
if either both t(p),s(p) are defined and equal, or both are undefined. 

Assume t = s. It suffices to show by induction of the length of p e N* that t| p = S| p or 
s(p)ti where by t| p we denote the subterm of t at position p. For p = e this is obvious. 
Assume p = p'j. By the inductive hypothesis, t| p / = S| p / or If t| p / = S| p / then 

V = /(to, ■■■ffn) and S| p / = /(s 0 , ...,s n ) for some / € E c with tj = Sj for i = 0,..., n. If 
0 < j < n then t\ p = tj = Sj = S| p . Otherwise, if j > n or if t(j>') t, s{p')f, then t(p )|, s(p )t by 
the definition of coterms. 

For the other direction, we show by coinduction that for any f G T we have t = t. If t £ T 
then t = /(U ,... ,t n ) for some / £ E c . By the coinductive hypothesis we obtain tj = tj for 
i = 1,..., n. Hence t = t by the rule for /. □ 

For coterms t, s € T, we shall theorefore use the notations t = s and t = s interchangeably, 
employing Proposition 12.101 implicitly. 

Example 2.11. Recall the coinductive definitions of zip and even from Example 12.51 

even(x : y : t) = x : even(t) 
zip(x:t, s) = x:zip(s,t) 


By coinduction we show 


zip(even(t), even(tl(t))) = t 
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for any stream t £ AX. Let t E A u . Then t = x : y : s for some x,y E A and s E AP. We have 


zip(even(f), even(tl(t))) 


zip(even(x : y : s), even(y : s)) 
zip(x : even(s), even(y : s)) 
x : zip(even (y : s),even(s)) 
x : y : s (by CH) 
t 


In the equality marked with (by CH) we use the coinductive hypothesis, and implicitly a bisim¬ 
ilarity rule from Definition 12.91 

The above explanation of coinduction is generalised and elaborated in much more detail in 
Section [5J Also [55] may be helpful as it gives many examples of coinductive proofs written in a 
style similar to the one used here. The book [53] is an elementary introduction to coinduction 
and bisimulation (but the proofs there are written in a different style than here). A good way of 
learning coinduction is by doing non-trivial coinductive proofs. Some people may initially find 
a proof assistant helpful for this purpose. The chapters USUIS] explain coinduction in Coq from 
a practical viewpoint. A reader interested in foundational matters should also consult [551 [51] 
which deal with the coalgebraic approach to coinduction. 


3 Preliminaries 

In this section we provide the necessary background on order theory. We also introduce some 
new or non-standard definitions and easy lemmas which will be needed in subsequent develop¬ 
ments. For more background on order theory see e.g. [25]. 

Definition 3.1. A partial order is a pair P = (P, <) where P is a set and < is an antisymmetric, 
reflexive and transitive binary relation on P. We often confuse P with P or <. The dual of a 
partial order P = (P, <} is a partial order P op = ( P , >) where x > y iff y < x. If A is a set, 
and P a = (P a , < a ) is a partial order for each a E A, then the product FF £ a = (FLeA Fu <) 
is a partial order with < defined by: p < q iff p(a) < a q(a) for each a £ A. If A = {ai,..., a n } 
is finite, then we write FLeA -^a = -Fu x ... x P an . If P a = P for each a £ A then we write 
FUa P = P a = A^P. 

An element xEPis maximal ( minimal ) if there is no y £ P with y > x (y < x). The set of 
all maximal (minimal) elements of P is denoted by Max(P) (Min(P)). A function / : P —> Q 
is max-preserving (min-preserving) if /(Max(P)) C Max(Q) (/(Min(P)) C Min(Q)). The least 
element ( greatest element ) of a set X C P is an element x £ X such that x < y (x > y) for all 
y £ X. A well-order is a partial order in which every nonempty subset has the least element. 

An up-set ( down-set ) is a subset [/CP such that if x £ U and y > x (y < x) then y £ U. 
A chain is a subset C C P satisfying: for all x, y £ C, x < y or y < x. A directed set in a 
parital order P is a nonempty subset D C P such that for all x,y £ D there exists z such that 
-2 > x, y. A bottom _L ( top T) of P, is an element of P satisfying _L < x (x < T) for any x £ P. 
We sometimes write Tp and T p when ambiguity may arise. An upper bound ( lower bound ) of 
a subset D C P is an element x £ P such that x > y (x < y) for all y £ D, which we denote 
D < x (x < D). A supremum or least upper bound or join ( infimum or greatest lower bound 
or meet ) of a subset D C P is an element \J D £ P (/\D £ P) such that D <\J D (/\D < D) 
and for any s £ P with D < s (s < D) we have s <\J D (s > f\D). We sometimes denote the 
supremum of D by supD and the infimum by inf D. 

A partial order is chain-complete if every chain has a supremum. A complete partial order 
(CPO) is a partial order with bottom in which every directed set has a supremum. A partial 
order is a complete lattice if every set has a supremum. 
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A function / : P —> Q between partial orders is monotone if it preserves the ordering, i.e., 
x < y implies f(x) < f(y). A function / : P —>• Q between CPOs is continuous if for every 
directed set D C P, f(D) is directed and /(V D) = \J f(D). An endofunction on a set X 
is simply a function / : X —> X. A fixpoint of an endofunction / on a partial order P is an 
element x £ P such that f(x) = x. The set of all fixpoints of / is denoted by Fix(/). The 
least fixpoint yf (greatest fixpoint uf) of an endofunction / is a fixpoint of / such that yf < x 
(yf > x) for any fixpoint x of /. 

An initial (final) sequence of an endofunction / on P is an ordinal-indexed sequence ( f a ) a 
of elements of P satisfying: 

. f° = ± (/° = T), 

• f a+1 = /(/“), 

• f X = V a <A f° (/ A = /\a<x f a ) for a limit ordinal A. 

A limit of an initial (final) sequence of / is an element iEP for which there exists an ordinal £ 
such that f a =x for a > (. The least such ( is called the closure ordinal of the sequence. 

For an ordinal cc, we denote by On(a) the set of all ordinals < a. 

The following lemma is folklore. 

Lemma 3.2. Let ( f a ) a be the initial (final) sequence of a monotone endofunction f. Then 
f a < f P (f° > f) for a < (3. 

Proof. Suppose ( f a ) a is the initial sequence of /. The proof for the final sequence is dual. We 
show by induction on fi that f° < / /9 for all a < (3. The base case (3 = 0 is obvious. 

If f3 = 7 + 1 then f 13 = /(/ 7 ) and by the inductive hypothesis / 7 > /“ for a < 7 . Hence, it 
suffices to show /^ > / 7 . If 7 = 0 then obviously /^ > / 7 = _L. If 7 = 6 + 1 then / 7 > f s , and 

thus f 3 = /(/ 7 ) > f(f s ) = P by the monotonicity of /. If 7 is a limit ordinal then 

f = nn = /(V /“) > V /(/ a ) = V f a+1 =\l f a = f 

a< 7 a< 7 a< 7 a<7 

where the inequality follows from the monotonicity of / and the definition of supremum. 

Thus assume (3 is a limit ordinal. But then by definition f' 3 = \J a< p f a > f a for a < (3. □ 

In the following lemma we collect simple well-known properites of lattices and CPOs. 

Lemma 3.3. 

• In a complete lattice each subset has an infimum. 

• Any complete lattice has the bottom and top elements. 

• The dual of a complete lattice is also a complete lattice. 

• For any set A, the power set V(A) is a complete lattice. 

• If P a is a CPO for each a £ A, then riaeA ^' a a CPO with Tjq a Pa defined by 

In p (a) = lp„ . 

• Every continuous function is monotone. 

• Every CPO is chain-complete. 

It is also true that every chain-complete partial order is a CPO [23, Theorem 8.11]. 

An initial (final) sequence of an endofunction on a partial order need not exist. Even 
if it exists, its limit need not exist. However, the situation is more definite for monotone 
endofunctions on CPOs or complete lattices. 
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Theorem 3.4. Every monotone endofunction f on a CPO has the least fixpoint [if. Moreover, 
[if is the limit of the initial sequence of f. 

Proof. See e.g. (241 Theorem 10.5 and Exercise 8.19]. □ 

Theorem 3.5. Every monotone endofunction f on a complete lattice L has the least and 
greatest fixpoints. Moreover, [if is the limit of the initial, and of of the final, sequence of f. 

Proof. The part about [if follows from the previous theorem, because every complete lattice is 
a CPO. The part about of also follows from the previous theorem, by applying it to the dual 
of L. □ 

The following theorem implies that every CPO has a maximal element. 

Theorem 3.6 (Kuratowski-Zorn Lemma). If P is a partial order in which every non-empty 
chain has an upper bound, then for every x E P there exists a maximal y > x. 

Proof. See e.g. [2U Chapter 10]. □ 

Lemma 3.7. Let A, IBS be CPOs, and let F : B A —> B A be monotone. If F(f) is monotone for 
each monotone f E B A , then the least fixpoint of F is monotone. 

Proof. Since F is monotone, its least fixpoint [iF is the limit of the initial sequence ( f a ) a 
of F. It suffices to show by induction on a that each /“ is monotone. If a = 0 then this 
is obvious, because f Q (x) = _L for each x E A. For a = /3 + 1, f a = F(fP) is monotone, 
because f^ is monotone by the inductive hypothesis. Thus let a be a successor ordinal. Then 
f a = V/ 3 < q f^- By Lemma [3721 {/^ | j3 < a} is a chain in B A . Thus {f^(x) \ j3 < a} is a chain 
in B for any x E A. Let x,y E A and x < y. Then f /3 (x) < f /3 (y) for (3 < a, because f 13 is 
monotone by the inductive hypothesis. Hence f^(x) < V /3 <a f^(v)- This holds for any /3 < a, 
so \/p <a f^{x) < V /3< a f 13 (y)- Thus f a (x) < f a (y). Therefore /" is monotone. □ 

4 Coinductive techniques 

In this section we give a presentation of coinductive techinques, with a view of applying them 
in Section [5] to infinitary lambda-calculus. 

In Section 14.11 we develop a theory to justify possibly non-guarded corecursive definitions. 
The approach is to extend the codomains to sized CPOs (see Definition 14.2p . In principle, this 
approach is fairly general, because any final coalgebra in the category of sets may be converted 
into a sized CPO (see the appendix). It is important to note that the theory is formulated in 
such a way as to make it unnecessary in most cases to deal directly with any CPO structure. 
Usually, to prove that a function is well-defined by corecursion, it suffices to show that a certain 
prefix production function y : N fc —>■ N satisfies 77 ( 77 . 1 ,..., n*,) > min^y...^ n ? > 

In Section T4. 21 we apply the theory to some concrete examples. The examples involve many- 
sorted coterms. We also develop a style of justifying corecursive definitions. This style is close 
enough to our theory to be considered rigorous - only some straightforward checks are left 
implicit. 

In Section 14.31 we develop a style of doing coinductive proofs. Some complex examples are 
presented, with explanations of how to rigorously justify their correctness. 

In Section 14.41 we give some examples of definitions and proofs mixing coinduction with 
induction, or nesting coinduction. 

As already mentioned, the theory and the results of this section are not really new. The 
aim of this section is to give an explanation of coinduction understandable to a broad audience, 
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and to introduce a certain style of doing coinductive proofs. For this purpose, we give a new 
presentation of “essentially known” facts, which may serve as a reasonably direct justification 
for coinductive proofs. The mathematically novel results of this paper are contained in Section [2] 
where we use coinductive techniques to prove confluence of Bohm reduction in infinitary lambda- 
calculus. 

4.1 Corecursion 

We are mostly interested in corecursion as a definition method for functions with a set of possibly 
infinite objects as codomain. The following example illustrates the kind of arguments which we 
want to make precise. 

Example 4.1. A stream over a set A is an infinite sequence from A u . For s £ A u and n £ N, 
by s n we denote the n-th element of s. If a £ A and s £ A u , then by a : s we denote the 
stream s with a prepended, i.e., (a : s)o = a and (a : s) n +i = s n . Consider the equation 

even(x : y : t) = x : even(t) 

Intuitively, this equation uniquely determines a function even on streams such that (even(s)) n = 
S 2 n- In this simple case, using inductive reasoning one could show that the function even defined 
by (even(s)) n = S 2 n is indeed the unique solution of the given equation. The problem is how 
to prove existence and uniqueness without finding an explicit definition of the function, which 
is often inconvenient or difficult. 

Informally, one way would be to argue as follows. We show by induction that for every n £ N 
and any stream s, even (s) approximates a stream up to depth n, i.e., at least the first n elements 
of even(s) are well-defined. Then it will follow that every element of even(s) is well-defined, 
so even(s) is a stream. For n = 0 it is obvious that even(s) approximates a stream up to 
depth 0. Assume that for every stream s, even(s) approximates a stream up to depth n. Let s 
be a stream. Since s = x : y : s' for some stream s', we have even(s) = x : even (s'). By the 
inductive hypothesis, even(s') approximates a stream up to depth n, so even(s) approximates 
a stream up to depth n + 1. 

Of course, this argument is not rigorous, because we did not formally define what it means 
to approximate a stream up to depth n £ N - only an informal explanation was given. More 
formally, the proof could be formulated as follows. 

Let P = A* U A u be ordered by C where: s C s' iff s is a prefix of s'. One easily checks 
that (P, C) is a CPO. For s £ P, by |s| £ N U {oo} we denote the length of s. The function 
F : P A “ —> P A “ defined for / € P A “, s £ A w by 

^ ? (/)( s ) = x '■ f( s ') where s = x : y : s' 

is monotone. Therefore, by Theorem 13.41 it has the least fixpoint even. By induction we show 
that for every n £ N, |even(s)| > n for any s £ A u . This is obvious for n = 0. Assume 
|even(s)| > n for every s £ A^. Let s £ A u . We have even(s) = F(even)(s) = x : even (s') 
where s = x : y : s'. From this and the inductive hypothesis we obtain |even(s)| > n + 1. 
Therefore |even(s)| = oo for every s £ A w . Hence even £ A u —>• A u , i.e., it is maximal in P A ^. 
Since even is maximal and it is the least fixpoint of P, it must be the unique fixpoint of F. 
Because every solution (in AA —> A u ) of 

even(x : y : s) = x : even(s) 

is a fixpoint of P, we conclude that this equation has a unique solution in AA A u (namely, 
the fixpoint even of P). □ 


15 


In what follows we develop a theory which generalizes the above kind of reasoning. To 
formulate the theory, we introduce a CPO structure on each set of infinite objects we are 
interested in. The original objects are maximal elements of the CPO, with other elements of 
the CPO being their “approximations”. 

More specifically, let A and B be sets. We are interested in the existence of a unique hxpoint 
/ : A —>• B of an endofunction F : B A —X B A . The strategy for finding / is to find a CPO B 
and a monotone endofunction F + : B A —X B" 4 such that Max(B) = B, F + (g)(x) = F(g)(x) for 
x £ A and g € B A (i.e. F + agrees with F on maximal elements of B‘ 4 ), and the least hxpoint / 
of F + is in B A (i.e. it is maximal in B" 4 ). Then / is the unique hxpoint of F + , so it is also 
the unique hxpoint of F, because any hxpoint of F is a hxpoint of F + . To show that the least 
hxpoint of F A is maximal, we need a notion of the size of an element of a CPO. This leads to 
the following definition. 

Definition 4.2. A sized CPO is a tuple (A, £, s, cut) where A is a CPO, £ is a size ordinal , 
s : A —x On(£) is a size function, and the cut function cut : On(£) x A -> A, such that the 
following conditions are satished for x E A and a < C : 

1. s is surjective and continuous, 

2. s(x ) = ( iff x G A is maximal, 

3. cut is monotone in both arguments, 

4. s(cut(a, x)) = a if s(x) > a, 

5. cut(ct, a:) = x if s(x) < a. 

Usually we confuse a sized CPO with its underlying CPO. Thus e.g. by a function between 
sized CPOs we just mean a function between their underlying CP Os. We say that a CPO A is 
a sized CPO if there exists a size ordinal (, a size function s : A —x On(()) and a cut function 
cut : On(£) x A —x A such that (A, £, s, cut) is a sized CPO. Given a sized CPO A we use Ca 
for its associated size ordinal, sa for the associated size function, and cutA for the associated 
cut function. We often drop the subscripts when clear from the context. 

Let S be a nonempty set. The flat sized CPO S± on S is defined as ({S U {A}, <), 1, s, cut) 
where the following holds for x,y € S±: 

• x < y iff x = T or x = y, 

• s(x) = 1 if x _L, s(_L) = 0, 

• cut(0, x) = _L, cut(l,x) = x. 

It is not difficult to check that S± is indeed a sized CPO. 

Let A, B be CPOs and A, B their sets of maximal elements. For f* : A —x B, the restriction 
f* : A —> B of f* is defined by f*\A( x ) = f*( x ) f° r x € A. Then f* is an extension of f*\A- A 
function between CPOs is regular if it is monotone and max-preserving. Let S be an arbitrary 
set. A function / : S x A —x B is regular i^| A y.f(x, y) is regular for each x £ S. 

Intuitively, in a sized CPO A the cut function cut(a,x) “cuts” an element x of size > a to 
its approximation of size a, i.e., cut (a, a:) < x for every x £ A. Indeed, let x £ A. If s(x) < a 
then cut (a, a;) = x < x. So assume s(x) > a. Then cut (a, a;) < cut(s(x),x) = x. 

In the rest of this section we assume that S,Q,... are arbitrary sets, and A, B,... are sized 
CPOs, and A, B, ... are their corresponding sets of maximal elements, unless otherwise stated. 

6 By A y.f(x,y) we denote a function /' : A —> B defined by f'(y) = f(x,y). We will sometimes use the 
lambda-notation in what follows. 
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Lemma 4.3. Suppose F : A s —>• A s is a monotone endofunction satisfying 

min s(F(g)(x)) > min s(g(x)) 
x&S x€S 

for each non-maximal g £ A s . Then F has a unique fixpoint. Moreover, this fixpoint is maximal 
(i.e. a member of A s ). 

Proof. Because F is monotone, by Theorem 13.41 it has the least fixpoint /. It suffices to show 
that / £ A 5 . Assume otherwise. Then / is not maximal, so 

mins(/(x)) < min s(F(f)(x)) = min s(f(x)). 
x£S x&S x&S 

Contradiction. □ 


Lemma 4.4. Let A be a CPO and B a sized CPO. Let h : Ax B m —> B and gi : A —> A 
(i = 1,... ,m) be regular. Suppose 

(*) s(h(x, 2 /i,..., 2/m)) > . min s(yi) 

2=1 

for all x £ A and all y\, ... , y m £ B with some yk non-maximal. Then there exists the least 
fixpoint f* of an endofunction F* : B A — > B A defined by 


F*(f)(x) = h(x,f{gi(x)),...,f(g m (x))) 

for f £ B a and x £ A. Moreover, f* is regular and f* 14 £ B A is the unique function in B A 
satisfying 

= h(x,f*i A (gi(x)),...,f* [A (g m (x))) 


for x £ A. 


Proof. Since h is monotone, so is F*. Indeed, assume / < f where /, f £ B A . To show 
F*(f) < F*(f) it suffices to prove F*(f)(x) < F*(f')(x) for x £ A. But this follows from 
/ < /' and the monotonicity of h. Therefore, since F* is monotone, by Theorem 13.41 it has the 
least fixpoint f*. 

Let F : B A —B " 4 be defined by F(f)(x) = h(x, f{g\(x)), ..., f{g m (x)))- Note that indeed 
F(f) £ B a for / £ B" 4 , because each gi is max-preserving. 

We show that for non-maximal / £ B" 4 we have min x€ As(F(f)(x)) > min xe- 4 Let 

/ £ B' 4 be non-maximal. Let A' C A be the set of all x £ A such that f(gi(x)) is not maximal 
for some i. 

First assume A! = 0, i.e., f(gi(x)) is maximal for all i = 1 and all x £ A. Then 

F(f)(x) = h(x, f(g\(x)),... , f(g m (x))) is maximal for x £ A, because h is max-preserving. 
Hence 

min s(F(f)(x)) = C > min(s(/(x))) 

xeA xeA 

because F(f)(x) is maximal for all x £ A, but there is x £ A for which f(x) is not maximal. 

Thus assume A! / 0. Since, for x £ A, s(h(x, f(gi(x )),..., f(g m (x)))) = ( if f(gi(x)) is 
maximal for all i £ I, and 4/0, we have 


Hence 


min s(h(x,f(gi(x)),.. .,f(g m {x)))) = min s{h(x, fig^x)),.. .,f(g m (x)))) 

xeA x&A' 


min rgj 4 s(F(f)(x)) = mm xeA s(h(x, fig^x)),..., f(g m (x)))) 
= min xG ^ s(h(x, f(g 1 (x )),..., f(g m (x)))) 

> min xe A' min i=lj ... )m s(f(gi(x))) 

> min xeA s(f(x)) 
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where the strict inequality follows from (*). 

Therefore, for non-maximal / G IP 4 we have min x& a s(F(f)(x)) > min xeA s(f(x)). Thus 
by Lemma 14.31 the endofunction F has a unique fixpoint u. Recall that f* is the least fixpoint 
of F*. Note that f* t A is a fixpoint of F. Indeed, for x £ A we have 

f*(x) = F*(f*)(x) = h(x, f*(g i(s)),... , f*(g m (*))) = F(f*)(x). 

Therefore, /* ^ = u, so it is the unique function in B A satisfying 

I*\a(x) = h(x, f* ^(g^x)),..., f* lA (g m (x))) 

for x € A. 

It remains to check that f* is regular. Since f*t A € B A , the function /* is max-preserving. 
Because h and all gt are monotone, for monotone / the function F*(f) is monotone. By 
Lemma 13.71 we thus conclude that f* is monotone. Hence f* is regular. □ 

Corollary 4.5. Let h : S x M m —> B be regular. Let gt : S —> S (i = 1,..., m). Suppose 

(*) s{h(x,yi,...,y m ))> min s(yi) 

1=1 

for all x G S and all yi,... ,y m G B with some yk non-maximal. Then there exists a unique 
function f : S —>• B satisfying 


f(x) = h(x,f(g 1 (x)),...,f(g m (x))) 


for x G S. 


Proof. Let S 
defined by 


S± be the flat CPO on S. There exists a regular extension g* :§—>•§ of each g t , 


( x if x G S 

\ _L otherwise 


for iG§. Analogously, there exists a regular h* : S x B m —> B defined by 


h*(x,y) 


h(x. y) if x G S 
_L otherwise 


for x G § and y G B m . Moreover, h* satisfies (*) in Lemma 14.41 Therefore, we may apply 
Lemma 14.41 to obtain the required function /. □ 

At this point it is worthwhile to emphasize one aspect of our approach. Ultimately, we 
really only care about the maximal elements in a CPO, and only about functions between sets 
of maximal elements. That we introduce a structure of a CPO is only to be able to rigorously 
justify certain methods for defining corecursive functions. But once these methods have been 
shown correct, to apply them we usually do not need to directly deal with the CPO structure 
at all. The following makes this more apparent. 

Definition 4.6. A function / : S —» Q is defined by substitution from h : Q i x ... x Q m —> Q 
and gi : S Qi (i = 1,..., m) if f(x) = h(gi(x), ..., g m (x )) for x G S. A function / : S —> Q 
is defined by cases from functions gt : S —>• Q and condition functions hi : S —>• {0,1} for 
i = 1,..., m, if for x G S: 

• f(x) = gi(x) if hi(x) = 1 , 

• f{x) = go(x) if hifx) = 0 for all i = 1 ,..., m. 
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• there is no x £ S with hfix) = hj(x) = 1 for i j. 

A function / : S —> Q is defined by corecursion from h:Sx Q m —> Q and gi : S —>■ S 
(i = 1,..., m) if it is the unique function in Q s satisfying 

f(x) = h(x,f(gi(x)),... ,f{g m (x))) 

for all x £ S. We say that h is a prefix function for /, and each gi is an argument function for /. 
Note that given h and gi, there might not exist any function defined by corecursion from h 
and gi. 

A production function r/f : Oii(Cai) x ... x On(CA„) —> On(£i) for / : A\ x ... x A n —>• B is 
any function satisfying 

rj f (s(xi),...,s(x n )) = s{f*(x u ...,x n )) 

for Xi £ Ai (i = 1,... ,n), where f* £ Aj x ... x A n —)• B is a regular extension of /. We then 
also say that ijf is a production function for /*, or that f* is associated with r/f. If a production 
function r/j for f : A\ x ... x A n —> B is clear from the context, then we use /* to denote the 
regular extension of / associated with r/j. 

Any production function rjh for a prefix function h for / is called a global prefix production 
function for f. If x £ S and h : S x B m —>• B is a prefix function for / : S —>• B, then any 
production function rff : On((i) m —»• Onftjg) for the x-local prefix function \y.h{x , y) is called 
an x-local prefix production function for f. We use the term prefix production function for either 
a local or a global prefix production function, depending on the context. 

Lemma 4.7. Any production function r/f : On^) x ... x On(^A„) —>• On(CjB) for a function 
f \ A\ x ... x A n —> B is regular. 

Proof. Let f* : A\ x ... x A n —> B be the regular extension of / associated with r/f. Let 
ai < fii < Ca.i for i = 1 ,...,n. Because the size functions for each A,; are surjective, for 
every i = 1,..., n there is ]ji £ Aj such that s(yi) = Pi. Let x'j = cut(aj, yi). Because of the 
monotonicity of the cut function we have x'j < cut (Pi,yp = yi . Also s(x j) = a t by the definition 
of cut. Hence 

rif(ai,...,a n ) = yf(s(xi ),..., s(x n )) 

= s(f*(x X n )) 

< s(/*(yi,---,yn)) 

= Vf{s(yi),...,s{y n )) 

= Vf {.Pit • • • ■> Pn ) 

where the inequality follows from the fact that f* and s are monotone. Therefore rjf is monotone. 

To show that rjf is max-preserving, we need to prove ?7 /(Cai j ■ • •, Ca„) = Cb- Let Xj £ 
Ai for i = 1 Then f*(xi,...,x n ) is maximal, because f* is max-preserving. Thus 

Vf{ Ca!,-- - ,Ca„) = Vf(s(xi),-..,s(x n )) = s(f*(x i,.. .,x n )) = Cb- □ 

The following corollary implies that to determine whether there exists a function defined by 
corecursion it suffices to bound the values of local prefix production functions. Thus no analysis 
of the underlying CPO structure is needed, as long as we are able to calculate the production 
functions. 

Corollary 4.8. Let h : S x B m —>• B and gi : S —>■ S (i = 1,... ,m). Suppose for each x £ S, 
a function rjf is an x-local prefix production function, i.e., a production function for Xy.h(x , y). 
Assume 

(*) Vh( a l, • • •, a m ) > min «j 
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for each x € S and all ati,... ,a m < Cb such that a^ < Cb for some 1 < k < m. Then there 
exists a function defined by corecursion from h and gi (i = 1,... ,m), i.e., a unique function 
f : S B satisfying 

f(x) = h{x , f(gi(x)),..., f{g m (x))) 


for all x G S. 


Proof. Follows from Corollary 14.51 


□ 


Note that for any function / : A\ x ... x A n —> B there exists a production function. Simply 
take the function rjf defined by: 


??/(«1; ■ ■ ■ j a n ) 


Cb if OLi = Ca; for i = 1,..., n 
0 otherwise 


Then the regular function f* : x ... x A n —> B associated with gg is defined by 


f*(x l, ••• ,x n ) 


f(x i, ...,x n ) if Xi G Ai for i = 1,..., n 
_L otherwise 


The point is to be able to find “sensible” production functions, and then use them to verify (*) 
in Corollary 14.81 Below we show how to compute production functions for functions defined by 
substitution, cases or corecursion. 

Let 2 = {0, 1 }_l be the flat sized CPO on {0,1}. In what follows we assume that 2 is the 
sized CPO associated with {0,1}, e.g., a production function for / : A —> {0,1} is assumed to 
have On(l) = {0,1} as its codomain. Recall that S2(0) = S 2 (l) = 1 and S 2 (-L) = 0. 

Lemma 4.9. 

• The function g(a \,..., a n ) = ai is a continuous production function for the i-th projection 
function -Ki : A\ x ... x A n —> Ai defined by TTi(xi, ..., x n ) = Xi. 

• The function r](a) = a is a continuous production function for the identity function id : 

A A. 

• The function g : {0, l} n —> {0,1} defined by ?y(ai,..., a n ) = min^i,...^ a* is a continuous 
production function for any function f : {0, l} m —> {0,1}. 

Proof. Follows from definitions. □ 


Lemma 4.10. If a function f : A\ x ... x A n — >• B is defined by substitution from functions 
h : Bi x ... x B m —> B and gi : A\ x ... x A n —>• Bi (i = 1,..., m), and gh and g gi are production 
functions for h and gi respectively, then the function gg defined by 

Vf{<*U ■ ■ ■ 1 a n) = VhiVgi ( a li ■ ■ ■ j 0 / -n)i ■ ■ ■ 1 Igm ( a l) ■ ■ ■ i a n )) 

is a production function for f. Moreover, if gu and all g gi are continuous, then so is gj. 

Proof. Follows directly from definitions. □ 


Corollary 4.11. 

• If g g is a (continuous) production function for g : A m —>• B, then 

g[a .\, • • •, a m ) g g , • • •, o:r(m)) 
is a (continuous) production function for f : A m —>• B defined by 

f{x 1 , ■ ■ • , x m ) g{x T (^ i), ■■■ , 3^r(m)) 

where r : {1,..., m) —> {1,..., m}. 
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• If i~i g is a (continuous) production function for g : A\ x ... x A n —> B, then 

r){ai, ..., oi n , jl i, • • •, /3fc) — r/g (cti, • • •, cv n ) 

is a (continuous) production function for f : A\X ... x A n x B\ x ... x B k —>■ B defined by 
f(xi,...,x n ,yi,...,y k ) = g(xi,...,x n ) for x t € Ai (i = 1,..., n), yi G B { (i = l,...,k). 

Proof. Follows from the first point of Lemma 14.91 and from Lemma 14.101 □ 

Lemma 4.12. If a function f : A\ x ... x A n —>• B is defined by cases from g j : A\ x ... x A n B 
(i = 0,..., m) and hi : A\ x ... x A n —> {0,1} (i = 1,, m), and r) 9i is a production function 
for gi, and r]hi is a production function for hi, then the function rjf defined by 

f min J 7 Si (ai,... ,a n ) if r/ hi (ai,... ,a n ) = 1 for every i = 1,... ,m 

TJf(a! i=0,...,m 

0 otherwise 


is a production function for f. Moreover, if all rj gi and all r// li are continuous, then so is rjf. 


Proof. Let g* : Ai x ... x A r 


and h* : A\ x ... x A n —> 2 be the regular extensions asso¬ 


ciated with rjg t and r// li respectively. Define /* : Ai x ... x A„ 


by 


f*(x X n ) 


= 


cut(/c(xi,... ,x n ),gl(xi,... ,x n )) if h*(x 1} ... ,x n ) ^ J_ for 1 < i < m, 

and k is least s.t. h* k (x i,..., x n ) = 1 
cut(«(a:i ,... ,x n ),g(,(xi,.. .,x n )) if h*(x i,..., x n ) = 0 for 1 < i < m 
_L otherwise 


where G A t {i = l,...,n) and k(x\, ..., x n ) = min i=0) ... )m rj gi (s(x ±),..., s(x n )). One eas¬ 
ily checks that f* is an extension of /. Hence f* is max-preserving. To show that f* is 
regular it thus suffices to check that it is monotone. Assume x t < yi for i = 1 
We need to show f*(x \,..., x n ) < f*(y±,... ,y n ). If f*(x\,..., x n ) = T then this is obvi¬ 
ous. So assume, e.g., h* k (x i,...,x n ) = 1 and h*(x\,...,x n ) ^ 1 for i = 1,..., m. Then 
h*(yi ,..., y n ) = h*(x \,..., x n ) for i = 1,..., m, because each h* is monotone. Thus it suffices 
to show cut(/c(a:i,... ,x n ),g%(xi,... ,x n )) < cut(/«(yi,..., y n ), gl(yi ,..., y n )). Because g* for 
i = 0,..., m and s are monotone, s(g*(x i,..., x n )) < s(g*(y \,..., y n )) for i = 0,..., m. Hence 

k(x i,...,x n ) = min i= o,..., m %(s(xi),...,s(x n )) 

= minj =0i ..., m s\gf(x\,... ,x n )) 

< mini =0 ,..., m s(g*(yi,..., y n )) 

= min i=0 ,..., m %(s(yi), • • •, s(y n )) 

= K(yi,...,y n ). 

Therefore 


cut (k(x’i ,.. .,x n ),g* k (x 1 ,.. .,x n )) < cut(/«(yi, ... ,y n ), g* k (yi, ■ ■. ,y n )) 


because gl and cut are monotone. 

We now check that the function r/y defined in the statement of the theorem is a production 
function for f*. Let x* G A* for i = 1,..., n. If h*{x i,..., x n ) = T for some i = 1,..., m, then 
y hi {s(x i),... ,s(x n )) = 0 and f*(x i,... ,x n ) = X. Hence 

hf{s(x i), • • •, s(x n )) = 0 = s(f*(xi,..., x n )). 
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Thus assume, e.g., h*(x i,..., x n ) 
every i = 1 ,..., m, and f*(x i,..., 


= 0 for all * = 1,, m. Then r]f H (s(x i),..., s(x n )) 
x n ) = cut(/«(xi,... ,x n ),^(xi,... ,x n )). Therefore 

= min i=0j ... jm rj gi (s(x 1 ),..., s(x n )) 

= K(x!,...,X n ) 

= min{K(xi,..., x n ),r]g 0 (s(x i),..., s(x n ))} 

= min{K(xi,.. .,x n ),s(gfi(x i,... ,x n ))} 

= s(cut(K(x 1; .. • ,X„),5o(®l, • • • ,X„))) 

= s(/*(xi,...,x n )). 


1 for 


It remains to show that if all r] gi and rp H are continuous, then so is r/f. Let D C Aj x ... x A n 
be a directed set. First assume (V D) = (1 for some 1 < i < m. Then r/j(\/ D) = 0 by the 
definition of rjf. Also \/ r/h^D) = r/h, (V L?) = 0 by continuity of 77 /^. Hence r)t- H (d) = 0 for every 
d € D. So r]f(d) = 0 for d G D. Hence \J rjf(D) = 0 = f?/(V -D). 

So assume 77^ (V II) = 1 for every 1 < i < m. Then 

Vf(\J D) = min r] gi (\l D) = min \J ?? g .(D) 

by the continuity of rj gi . Let D* be the set of all d € D such that 77 ^( 0 ?) = 1 for all % = 1,..., rn. 
We have V 77 ^(D) = 77 ^ (\/ D) = 1 for every i = 1,... ,m. So for every 7 = 1,..., 777 there is 
di G such that r/hj/li) = 1. Because D is directed and each 77 /,^ is monotone, we thus have 
U* 7 ^ 0 (an element greater or equal all of rij,..., d m is in D*). Hence for every d G D there 
is d* G D* such that d* > d (take an element greater or equal than d and than some element 
of D*). Thus for every d G D there is d* G D* such that miiij = o,,,,, m 7? 9i (d) < mhij = o,..., m ?1gi(d*). 
Therefore 

= V • ^ lin d 9 i {d*) = V . min r] 9 i (d ) 

* i=0,...,m * i=U, ...,m 

d*eT>* deD 

Hence it suffices to show 



min \J r] gi {D) = \J min r) gi (d). 
deD 

Let L = minj = o,...,m V Vgi{D) an d R = VdgD ni * n i=o r .,m dg^d). Without loss of generality, 
assume L = \/ ij go (D). We need to show L < R and R < L. For R < L it suffices to show 

that L > minj = o,..., m i] gi (d) for d G D. But L > r] go (d ) > minj = o,..., m T] gi (d) for d G D. For 

L < R it suffices to show R > 77 go (d) for d G D. So let d G D and assume R < 77 go (d). We 

have V r) gi (D ) > r] go (d) for i = 0,... ,777, so for every i = 0,... ,777 there exists di G D with 

Vgi(di) > R- Because D is directed there is a d' G D such that d' > di for i = 0,... ,777. Then 
r] gi (d') > R for i = 0,..., 777 , because each r] gi is monotone. Hence min,; = o,..., m il gi (d') > R. This 
contradicts the definition of R. □ 


The following theorem shows how to calculate a production function for a function defined 
by corecursion. 

Theorem 4.13. Let h : A± x ... x A n x B m —7 B and gi : Ai x ... x A n —>• Ai x ... x A n 
(i = 1,... , 777 ) where 

Qi{x 1 , ...,x n ) = (gj(x 1 ,.. .,x n ),.. .,gf(x 1 ,... ,x n )) 

for Xj G Aj (i = 1,... , 7 ? 7 , j = 1,,..., n). Let 77 ^ be a production function for h, and r/ij a 
production function for gj (i = 1,... ,m, j = 1,... ,n). Assume that r/h satisfies: 

(*) Vh( Cau • • • • • • ,Pm) > . min fa 

i=l,...,m 
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for all /?i,... , /3 m < Cb with < Cb for some 1 < i < m. 

If f : A —>• B is a function defined by corecursion from h and gi (i = 1,... ,m), then there 
exists a production function r]f for f satisfying for all a £ x ... x On((A n ) the equation 

rif(a) = g h (a, g f (g hl (a),..., r/i,n(a)), ■’ Vf(Vm,i(a), r? m , n (d))) 

Moreover, if rjh and all r/ij (i = 1,... ,m, j = 1,... ,n) are continuous, then so is r]f. 

Proof. Let h* be the regular extension associated with and g* ■ the regular extension asso¬ 
ciated with r/ t] for i = 1 ,...,m and j = 1,..., n. Let A = Aj x ... x A n . For i = 1 ,m, 
let g* : A —> A be defined by 

9*i(x) = {gl^x),... ,g* n (x)) 
for x £ A. Let F* : B A —> B A be defined by 

F *U')(x) = h*(x, f'(gl (x)),..., f\g^(x))) 

for a: £ A. Then / is the restriction of the least fixpoint f* of F*, by (*) and Lemma 14.41 
Let ( f a ) a be the initial sequence of F*. Let W = On^) x ... x On((A n ). Let : W —>• W 
be defined by 

r]i(w) = <7?i,iO), • • • ,rn tn (w )) 

for w £ W. If x = (xi,..., x n ) £ A then we write s(x) for (s(xi),..., s(x n )). Note that 

r)i(s(x)) = s(g* (x)) 


for x £ A. 

By transfinite induction on a we show that there exists a production function g a for /“. 
For a = 0 we may define r/° by rp(w) = 0 for w £ W, because f°(x) = _L for any x £ A. 

For a = f3 + 1 we define 

rf +1 (w) = r] h (w,r]P(r]i(w)),.. ■ ,rf(r) m (w))) 


Then the equality 

f> 3+1 (x) = h*(x,fP{gl(x)),...,fP(g* m (x))) 

and the inductive hypothesis imply that g^ +1 (s(x)) = s(/' 3+ 1 {x)). 

Finally, let a be a limit ordinal. For x £ A we have 

f a (x)= \f h*(x,f p (gl(x)),...,fP(gt n (x))) 

h<a 

Because sb is continuous and f° < / /i+1 , we obtain 
»(/“(*)) = ®(V f3<a 

= «(V p <a f P+ 1 (x)) 

= s (yp<a h *{xj 13 {gl{x)),... ,fp{g* m {x) 

= V f3<a s i h *(x, /'’(si (®))> • • •, f p {g* m {x)))) 

= V f 3 <a %(s(x),? 7 ^(r/i(s(x))),.. m {s(x)))) 

where in the last equality we use the inductive hypothesis. Therefore, we may define 

g a (w)= \f r) h (w,r] l3 (r)i(w)),... ,g 0 {g m (w))) 

f 3 <a 
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The join always exists, because sa; is surjective for i = 1,... ,m. Indeed, for any w £ W there 
is x £ A such that w = s(x), by surjectivity. So 


rj a (w) = 

= V f3<a Vh(s(x),1 ..., T] P (jlm(s(x)))) 

= V /3<a s(/ /3 (®)) 


which exists because {/^(x) | /? < a} is a chain and sb is continuous. 

Let k be the closure ordinal of ( f a ) a . Then / K+1 = / K , so for x £ A: 


p K+1 (s(x)) = s(f K+1 {x )) = s(/ K (x)) = r f(s(x)) 


Since sa, is surjective for i = 1 ,..., m, we thus have ?y K+1 = p K . So for w £ W: 


7 f(w) = r/ K+1 (w) = r/ h (w,r/ K (r/ 1 (w)),... ,7] K (7] m (w))) 


Therefore, is the required production function for f* = f K . 

If rjh and all r/ij are continuous, then it follows by transfinite induction on a that each r/“ 
is continuous. □ 


4.2 Coterms 

The above general theory for defining corecursive functions will now be illustrated with some 
concrete examples. The examples will involve many-sorted coterms. 

Definition 4.14. A many-sorted algebraic signature X = (S s ,Sj) consists of a collection of 
sort symbols X s = and a collection of function symbols Sj = {fj}jej- Each function 

symbol / has an associated type r(/) = (si,..., s n ; s) where si,..., s n , s £ E s . If r(/) = (; s ) 
then / is a constant of sort s. In what follows we use S,S', etc., for many-sorted algebraic 
signatures, s,s', etc., for sort symbols, and f,g,c, etc., for function symbols. 

The set T°°(X), or just T(S), of coterms over X is the set of all finite and infinite terms 
over X, i.e., all finite and infinite labelled trees with labels of nodes specified by the function 
symbols of X such that the types of labels of nodes agree. More precisely, a coterm over X is a 
function t : N* —> Xj U {X}, where A ^ Xj, satisfying: 

• t(e) A, and 

• if t(p) = f <E X/ with t(/) = (si ,... ,s n -s) then 

- t(pi) = g € X/ with r(g) = (si,..., for i < n, 

— t(pi) = A for i > n, 

• if t(p) = A then t(pi) = A for every i £ N, 

where e € N* is the empty string. We use obvious notations for coterms, e.g., f(g(t,s),c) when 
c, /, g £ Xj and t, s £ T(X), and the types agree. We say that a coterm t is of sort s if t(e) is 
a function symbol of type (si,..., s n ; s) for some si,..., s n £ X s . By 7^(X) we denote the set 
of all coterms of sort s from T(X). We also write 71,(X) for T(X), i.e., by * we denote a special 
sort of all coterms. 

The n-th approximant of a coterm t £ T(X) is a function t^ n : N* —> Xy U {A} such that 

• t^ n {p) = t(p) if \p\ < n, or \p\ = n > 0 and t(p) is a constant, i.e., r{t{p)) = (; s) for some 
s £ X s , 

• t^ n (p) = A otherwise, 
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where by \p\ we denote the length of p G N*. In other words, t is t cut at depth n, but we do 
not change constants in leaves at depth n > 0 into _L. By T n (X) we denote the set of all n-th 
approximants of coterms over X. We extend the notation t^ m to approximants t G T n (X) in 
the obvious way. We also use obvious notations for approximants, e.g., the first approximant 
of f(g(ti),h(t 2 ),c) is denoted by /(_L,_L,c). We say that an approximant t G T n (X) is of 
sort s G S s if either t(e) = _L or t(e) is a function symbol of type (si,..., s n ; s) for some 
si,..., s n G X s . By 7^”(S) we denote the set of all t G T n (X) of sort s. 

The partial order Nqq = (N U {00}, <} is ordered by the usual order on N extended with 
n < 00 for n G Nqq. Note that Nqo is isomorphic to On(cu). We extend the arithmetical 
operations on N to Nqo in an obvious way, with 00 — n = 00, ?r + oo = oo + n = oo + oo = 00, 
n ■ oo = oo -71 = oo-oo = 00, where n G N. 

If Ai for i G I are sets, then by IIwe denote the coproduct of the v4^s, i.e., the set of all 
pairs ( i,a ) such that i € I and a G A^. We define the partial order T(X) = (Ilng^T'^S), E) 
by: (i,t) E (j, s) iff i < j and = t. The size |f| G Nqo of t G T(X) is the first component 
of t. We will often confuse (i,t) G T(X) with t G T*(X). For a sort symbol s G X s , by T S (X) 
we denote the subset of T(X) consisting of all (i,t) such that t is of sort s. We also use the 
notation T*(X) for T(X). 

We define cut : Nqo x T(X) —> T(X) by cut(n, (i,t)) = ( i,t ) if i < n, and cut(n, ( i,t )) = 
(n,t^ n ) if i> n. Note that if t G T S (X) then cut(n,t) G T S (X). 

Let / G S/ be a function symbol of type (si,..., s n ; s) and let 1 < i < n. The i-th destructor 
for f is a function df^ : Ts(£) T Si ifS) defined by: 

, /.x _ / U if t = f(ti, ... ,t n ) 

1 t! otherwise 


where t' G T Si { X) is arbitrary. The constructor for f is a function cj : T Sl (T,) x ... x 7^„(X) —> 
7^(X) defined by 

c/(ti, • • •, tn) = / (t\,... , t n ) 

The test for f is a function Of : T s —> {0,1} defined by 


Of(t) 


1 ift = f(ti,...,t n ) 
0 otherwise 


If t G T(X) and t = {i,t') with t' G T°°(X) (this may happen for i < 00 if e.g. t' is a 
constant), then by tf we denote ( 00 , t'). 

Lemma 4.15. The partial order T(X) is a CPO. Also, for each s G X s , the partial order T S (X) 
is a CPO. 


Proof. The bottom of T(X) is (0, J_), where _L is the sole element of T°(X). 

Let D C T(X) be a directed set. Let n be the supremum of the first coordinates of elements 
of D. Define t G T n (X) by: 

• t{p) = / if / G Tif and there is s G D with s{p) = /, 

• t{p) = _L otherwise. 

where p G N*. This is a good definition, because D is directed. By definition we of course have 
(n, t) □ s for all s G D. If n < 00 then (n, t) G D, so it is the supremum of D. Assume n = 00 . 
Suppose u G T m (X) and (m, u) □ s for all s G D. Then m = 00 . Let p G N*. Then there exists 
s G D with \s\ > \p\, and so tip) = s{p). Since u □ s, we obtain u(p) = sip) = t{p). Thus u = t, 
so ( 00 , t) is the supremum of D. 

That for each s G X s , the order T S (X) is a CPO follows from the fact that if all elements of 
a directed set are of sort s, then its supremum is also of sort s. □ 
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Lemma 4.16. The tuple (¥(£), oo, | ■ |,cut) is a sized CPO0 Also for each s € the tuple 
(T s (£),oo, | • |, cut) is a sized CPO. 

Proof. The only part which is not completely obvious is the continuity of the size function | • |. 
Let D C T(£) be a directed set. The set |D| is directed. By the definition of V D in the proof 
of Lemma 14.151 we have | \J D\ = \/ \D\. □ 

Our definition of T(E) may seem somewhat convoluted. One may wonder why we do not 
simply use UneNoo or even the set of all coterms with some arbitrary subterms changed 

into _L, with an obvious “information” ordering. The answer is that then there would be no cut 
function cut with the desired properties. Also, the construction of T(£) is a slightly modified 
instance of a more general sized CPO construction for an arbitrary final coalgebra in the category 
of sets (see the appendix). 

For the sake of brevity we often use T = T(£), T s = 7s(E), T = T(E) and T s = T s (£), i.e., 
we omit the signature £ when clear from the context or irrelevant. We also confuse T and T s 
with the sized CPOs from Lemma 14.161 


Lemma 4.17. Assume f € £/ has type (s i, ... , s n ; s). 

1. The function r]d f t ■ N^ —> N^ defined by rjd f i (n) = max(0, n — 1) is a production function 
for d f , t . 

2. If all elements of T Si are constants, then : N^ —> Nqo defined by 


Voo (n) = 


oo if n > 0 
0 if n = 0 


is a production function for df t i. 

3. The function rj Cf : —> Noo defined by r] Cf (mi ,..., m n ) = min^i^..^ + 1 is a produc¬ 

tion function for Cf. 

4■ For any k £ N the function r]^ f : Noo —> {0,1} defined by 


Vo f (n) = 


1 if n > k 

0 if n < k 


is a production function for of. 


5. If all elements of T s are constants and g : Tf n —» T s then the function r/?° : N" 


No 


given by 


7p°(ni,... ,n m ) = 


oo if n\,, n m > 0 
0 otherwise 


is a production function for g. 

6. If all elements ofT s are constants and\ '■ Tf 71 —> {0,1} then the function : N)^ —> {0,1} 


defined by 


?P°(ni,... ,n m ) = 


1 if ni,..., n m > 0 
0 otherwise 


is a production function for x- 


Proof. 

7 Since Noo and On(w) are isomorphic we identify them without loss of generality. So oo = uj . 
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1. The z-th destructor dfj_ : 7^(S) —> 7^(£) extends to a regular dj i : T s (£) —> T Si (X): 


( U if t = f(ti, 

\ t' otherwise, where t' € T Si (S) is arbitrary with li'l = max(0, \t\ — 1) 


2. We may take the regular extension 


j°° 

a fd 


( t ) 


tit 

if t = f(ti,.. 

••; tn) 

t' 

if t = g(ti,.. 

., 4) with g f, where t' E T Si (S) 


is arbitrary ’ 

with = oo 

1 

otherwise 



This is well-defined, because ti above is a constant. 

3. The constructor Cf extends to a regular c*j : T S1 (£) x ... x T S7i (S) —> T(X) as follows: 

c}(t 1 ,...,t n ) = f(tf m ,...,tj m ) 

where m = mirij = i _ n \ti\. 

4. The test Of extends to a regular oj- : T s (S) -> 2 as follows: 

( 1 if \t\ > k and t = . ,t n ) 

o}(t) = < 0 if \t\ > k and t = ,t k ) for g G Y, f ,g ± f 

\ T otherwise, if \t\ < k 


5. A regular extension g°° : T™ —)• T iS of g is given by 




g(t it,..., t m |) if U ± T for i = 1,..., m 


± 


otherwise 


6. A regular extension y°° : T™ —>■ 2 of x is given by 


X°°(ti,...,t m ) = 


x(t it, ■ ■ ■, t m t) if ti ^ T for i = 1 ,..., m 

T otherwise 


□ 

The following simple lemma implies that all the production functions from the above lemma 
are continuous. 

Lemma 4.18. A production function g : N™ —>• Nqo is continuous iff r/(V D) = V f or an U 
infinite directed D C N™. 

Proof. The implication from left to right is obvious. For the converse, let D C N™ be a finite 
directed set. Then \J D is the largest element of D. So rj (\/ D) is the largest element of g(D), 
because rj is monotone by Lemma 14.71 Thus \J g(D) = r/(V D). □ 

Because any p € N™ \ N m is a join of an infinite chain C C N m , the above lemma implies 
that the values of continuous functions in N™ —> are uniquely determined by their values 
on N m . We shall thus often treat continuous functions as if they were defined on N m , and leave 
their values at infinity implicit. 
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Lemma 4.19. If 77 : N™ —> Nqq is continuous and for every m,..., n m £ N we have 

?y(ni,... ,n m ) > min m, 

then also for every n\,... ,n m € Nqq such that nk < oo for some 1 < k < m, we have 
rj{n 1 , • ■ ■, n m ) > min i= i r .. >m n % . 

Proof. Without loss of generality, we consider the case m = 2 and show that if 77 ( 711 , 712 ) > 
min(ni, 02 ) for 771,772 £ N then 77 ( 77 , 00 ) > n for n £ N. For every k > n we have 77 ( 77 , A;) > 
min( 77 , /c) = ?7, i.e., 77 ( 77 , fc) >77 + 1. Because D = {( 77 , fc) | > 77 } is directed, \J D = ( 77 , 00 ) 
and 77 is continuous, we have 

77 ( 77 , 00 ) = 77 (\/ D) = \J r]{D) = \/ v( n i k) > \J n+l=n+l>re. 

k>n k>n 


□ 


The method for showing well-definedness of functions given by corecursive equations is to 
use Lemma 14.171 and lemmas I4.9ti4.12l and Theorem 14.131 from Section 14.11 to calculate pro¬ 
duction functions, and then apply Corollary 14.81 For convenience of reference, we reformulate 
Corollary 14.81 specialized to many-sorted coterms, in its most useful form. 

Corollary 4.20. Let S be an arbitrary set. Let h : S x T™ —> T s and gi : S —» S (i = 1,..., m). 
For each x £ S, let 77 ^ : N™ —> Nqo be a continuous production function for A y.h{x,y). If 


(*) Vh( n h • • •, n m ) > min m 

1=1 


for all x £ S and all ni,...,n m £ N, then there exists a function f : S —>• T s defined by 
corecursion from h and g \,..., g m ■ 

Proof. Follows from Corollary 14.81 and Lemma 14.191 □ 

Note that if S' = T Sl x... x T Sk , the local prefix production functions rjf above are all the same 
and a global prefix production function 77 h : — > Nqo satisfies 77 ^( 00 ,..., 00 , 771 ,..., n m ) = 

77 ^( 771 ,... ,?7 m ), then (*) in Corollary 14. 201 implies (★) in Theorem 14. 131 This situation is usually 
the case, and we will often avoid mentioning it explicitly. 


Example 4.21. Let A be a set. Let £ consist of two sorts s and t), one function symbol cons of 
type (t),s;s) and a distinct constant symbol a £ A of sort t> for each element of A. Then T S (T,) 
is the set of streams over A. We also write 7s(£) = A^ and 7o(£) = A. Instead of cons(a, t) we 
usually write a : t, and we assume that : associates to the right, e.g., x : y : t is x : {y : t). We also 
use the notation x : t to denote the application of the constructor for cons to x and t. Instead 
of d C ons,i we write hd, and instead of d c ons ,2 we write tl. Instead of o a (x) = 1, where a £ A, 
we write x = a. For tl we shall use the continuous production function 7711 ( 77 ) = max(0, n — 1), 
and for cons we shall use the function ? 7 C ons (n) = 77 + 1. Since all elements of 7o are constants, 
we may use 


Voo (n) 


00 if re > 0 
0 if re = 0 


as a continuous production function for hd. For o cons we use the continuous production func¬ 
tion 77 o cons - See Lemma 14.171 
Consider the equation 


even(x : y : t) = x : even (t) 
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We shall show that the above equation determines a unique function even : A u —> A u . 

The equation may be rewritten as 

even(f) = hd (t) : even(tl(tl(f))) if o cons (t) = 1 

So even is defined by corecursion from h : A u x A u A w given by 

h(t,t') = hd(t) : t! if o cons (t) = 1 

and g : A u > A u given by 

g{t) = tl(tl(f)) 

The function h is defined by cases from ho : A 00 x A u —> A u given by 

ho(t, t’) = hd(f) : t' 

and from the test function o cons (formally, we also need some function for go in Definition 14.61 
i.e., for the case when none of the conditions holds, but in the present instance o cons never gives 
the value 0 so this does not matter). Using Lemma IT 101 we conclude that for each t £ T a 
continuous t-local prefix production functioqj£* : N —> N is defined by £ 4 (n) = n + 1. Therefore, 
even is well-defined (i.e. it exists and is unique) by Corollary 14.201 Using Lemma 14.101 we see 
that a continuous production function rj g : N —>• N for g is defined by 


g g {n) = 


n — 2 
0 


if n > 2 
otherwise 


From Lemma 14.101 and Lemma [4.121 a continuous production function r]h : N 2 

by 

m + 1 if n > 0 


N for h is given 


Vh{n,m ) = 


0 


if n = 0 


Therefore, by Theorem l4.13l there exists a continuous production function r/even ■ N —> N for even 
satisfying 

( ??even(^ - 2 ) + 1 if n > 2 

^?even(^) — \ ^?even(0) T 1 if 71 — 1 

[ 0 if n = 0 

Thus 7?even(^) = [f] for 71 G N. 

Usually, we do not get into so much detail when justifying well-definedness of a function 
given by some corecursive equations. Formally, sets of equations of the form 


f(t l) = 51 


f(tk) 

where t±,...,tk are some patterns and si,...,Sh some expressions possibly involving /, are 
always interpreted as defining a function / by (corecursion from a function defined by) cases 
from appropriate functions corresponding to the Sj and from some combinations of test functions 
corresponding to the patterns. These correspondences are usually straightforward and left 
implicit. To prove well-definedness of / we implicitly use lemmas l4.9M.12l to calculate all local 
prefix production functions, and then we show (★) in Corollarv l4.201 If we are also interested in a 
production function for /, then we calculate production functions for the argument functions gt 

8 Recall that by Lemma f4.18l we may consider continuous production functions as defined on N m instead of NJJ. 
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and the prefix function h (using lemmas I4.9ll4.12l) , and then we apply Theorem 14.131 to obtain 
recursive equations for a production function for /. The resulting production functions are 
typically continuous. We leave this observation implicit and consider the production functions 
as functions defined on N m (which we can do by Lemma 14.181 and Lemma 14.191) . 

Applying the remarks of the preceding paragraph, we now give arguments justifying the 
well-definedness of even and the form of its production function in a style which we shall adopt 
from now on. 

A prefix production functiorj^ for a function even satisfying 

even(x : y : t) = x : even (t) 

is given by £(n) = n+1 > n. Thus even is well-defined and its production function g eve n : N —> N 
satisfied for n € N: 

??even(0) — 0 

??even(l) — 1 T ??even(0) 

l?even(lt T 2) — 1 T TJ eve n(?l) 

Hence r/ even (n) = |"^] for n € N. □ 

The above definition of even is actually an instance of a common form of definition by 
guarded corecursion. 

Definition 4.22. A function h : S x T™ T s > (for m £ N, s, s' € E s ) is non-consuming if for 
each x £ S there is a continuous production function r : N™ —> Nqq for A y.h(x,y) satisfying 

r]l(ni,...,n m )> min m 

1=1 ,...,171 


for all ni,..., n m € N. 

The class of constructor-guarded functions is defined inductively as the class of all functions 
h : S x 7^ m —> T s ’ (for arbitrary m € N, s, s 1 E £ s ) such that 

h(x,yi, ...,y m ) = c(ui(x,t/i, .. .,y m ),..., u k (x, y 1 ,... ,y m )) 

where c is a constructor for a function symbol of type (si,..., s^; s') and each Ui : S x 7^ m —> T Sl 
is non-consuming. 

We say that a function / : S T s is defined by guarded corecursion from h : S x 7^ m —> T s 
and gi : S —> S (i = 1,..., m) if it is defined by corecursion from h and gi,...,g m , with h 
defined by cases from some constructor-guarded functions hj : S x T'" L —> % (j = 0,..., k) and 
some condition functions Oj : S —> {0,1} (j = 1 i.e., the condition functions depend 

only on the first argument of h. 

Note that every function h : S x 7^ m T s > which 

• depends only on its first argument, or 

• satisfies h(x, y ±,..., y m ) = y t for all x £ S, yi ,..., y m £ T™, fixed i, or 

• is constructor-guarded 

9 More precisely: for each r € A w a continuous r-local prefix production function... 

10 We leave implicit the verification of (*) in Theorem 14.131 which follows from the fact that a global prefix 
production function (see the definition of gn above) satisfies £'(oo,n) = £(n), and £(n) > n for n £ N. 
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is also non-consuming. 

By Corollary 14.201 for every h and g \,..., g m satisfying the requirements of Definition 14.221 
there exists a unique function defined by guarded corecursion. When some corecursive equations 
involving a function / straightforwardly translate to a definition by guarded corecursion, then 
we say that the definition of / is guarded, which implies well-definedness of /. If / is defined 
by guarded corecursion, S = T S1 x ... x T Sl and there exist appropriate production functions 
for the Uj (j = 1,... ,k), then (*) in Theorem 14.131 holds, so we may then use Theorem 14. 131 to 
calculate a production function for /. 

The functions gj 3 and 77 “ for various / and \ (see Lemma 14.171) will be used implicitly in 
calculations of production functions in the following examples. 

Example 4.23. Consider the equations over streams of natural numbers: 

add(x : t,y : s) = (x + y) : add(f, s) 
zip(x:i, s) = x:zip(s,t) 

D = 0:1:1: zip(add(tl(D), tl(tl(D))), even(tl(D))) 

We show that these equations define unique functions add : N u xN w —> N w , zip : —> N^, 

and a unique stream 11 ! D £ . 

The function add is well-defined, because its definition is guarded. A production function 
v/add : N x N —> N for add satisfies 

f?add(0,m) = 0 

g a dd(n, 0 ) = 0 

r/add(n + l,m + 1) = g a dd(n,m) + l 

Thus riadd{n,m) = min (n,m). 

The definition of zip is also guarded, so zip is well-defined. A production function g zip : 
N x N —> N for zip satisfies 

7?zi P (0, m) = 0 

f?zi P (n + 1 , m) = g zip (m, n) + 1 
The equations for g zip are equivalent to 

f?zi P (0 ,m) = 0 

^?zip T 1,0) 1 

g Z i P (n + l,m + l) = g zip (n, m) + 2 

Thus r/zip {n, m) = min(2n, 2 m + 1). 

Using the formulas for ? 7 even, hadd and g z ± p we now calculate a prefix production function £ 
for D. For n < 2 we have 

£(n) — 3 + ? 7 zip (hadd(0) 0), 7/even (0) ) 

= 3 + 7/zip (0,0) 

= 3 

so £(?r) > n for n <2. For n > 2 we have 

£(n) = 3 + r/ zip (r/ add (n - l,n - 2),r/ even (n - 1)) 

= 3 + r 7 z ip (min(ra - l,n - 2), [^]) 

= 3 + 77 zip (n-2, [^D 
= 3 + min(2(n-2),2pfi] + 1) 

11 To make the definition of D consistent with our theory, which considers only functions, we could provide D 
with one dummy argument. 
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We have 2 (n — 2) = 2ra — 4 > n — 3 for n > 2. Also 2|" 21 ^-] + 1 > n — 1 + 1 = n>n — 3. 
Hence for n > 2 we have £(n) >3 + n — 3 = n. Thus £(n) > n for n £ N, and therefore D is 
well-defined. □ 


Example 4.24. Consider the following specification of the Hamming string H of positive 
natural numbers not divisible by primes other than 2, 3 and 5. 


mul(.x, y : t ) 
merge(x \t 1 ,y:t 2 ) 
H 


x ■ y : mul(x, t ) 

f x : merge(H, y : t 2 ) if x < y 

\ y : merge {x : t\, t 2 ) otherwise 

1 : merge (merge (mul (2, 7L),mul(3, IL)),mul(5, H)) 


We show that mul : N x —>• N^, merge : x and H € are well-defined. 

The function mul is well-defined, because the definition is guarded. A production func- 
tiorf^l r/ mul for mul is given by r/ mul (n) = n. The definition of merge is also guarded, so merge is 
well-defined. A production function r/ merge for merge satisfied: 

Emerge (0) ^ ) — 0 

Emerge (^)O) — 0 

Emerge (n + 1, m + 1) = min(r/ merge (n, m + 1), Emerge (n + 1, m)) + 1 

Thus Emerge (n, m) = min(n, m). Note that the form of this production function or even its 
existence is not completely intuitive — one would expect that the “size” of the resulting stream 
may depend on the elements of the argument streams, not only on their sizes. The trick is that 
we use cut functions in the proof of Lemma 14.121 to effectively select the least possible size, 
disregarding any side conditions. 

Therefore, a prefix production function £ for H satisfies £(n) = 1 + min(min(n, n), n) = 
n + 1 > n. So H is well-defined. □ 


Specifications of many-sorted signatures may be conveniently given by cogrammars. For 
instance, the set S of streams over a set A could be specified by writing 


S :: = cons(A, S). 


A more interesting example is that of finite and infinite binary trees with nodes labelled either 
with a or b, and leaves labelled with one of the elements of a set V: 


T :: = V || a(T, T) || b{T,T). 


As cogrammars are not intended to be formal entities but only convenient visual means for 
specifying sets of coterms, we will not define them precisely. It is always clear from a stated 
cogrammar what many-sorted signature is meant. 

Example 4.25. We define the set A of infinitary e-lambda-terms by the cogrammar 


A :: = V || AA || AHA || e(A) 

12 Formally, we consider infinitely many functions Af.mul(n, t) for each n € N, and apply Theorem 14.131 to each 
of them. 

13 We use Lemma [4421 and Theorem [4431 
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where V is a set of variables. For s, t € A and x £ V, the operation of substitution substj; : 
A x A —> A is defined by guarded corecursion 


x[t/x\ 

= t 

y[t/x] 

= V if xfiy 

(sis 2 )[t/x] 

= (si[t/x])(s 2 [t/x]) 

(Xy.s)[t/x] 

= Xy.s[t/x\ if x 

(Xx.s)[t/x] 

= Xx.s 

(e(s))[t/x\ 

= e(s[t/x]) 


where s[t/x\ = subst x (s,t). 

Note that substitution defined in this way may capture variables. For the sake of simplicity, 
we disregard this problem by assuming that in all terms the free variables are distinct from the 
bound ones. 

A production function T^ubst for subst^ is given by the equation^ 

%ubst (0, m) = 0 

^/subst 0) — 0 

hsubst (n + 1, m) = min(m, n + 1, rj suhst (n, m) + 1) 

Thus r/ subst (n, m) = min(n,m). 

The definition of substitution on infinitary e-lambda-terms will be used in an example in 
the next section. □ 

4.3 Coinduction 

Coinduction is a method of proving statements involving coinductive relations, i.e., relations 
defined as greatest fixpoints of certain monotone operators. Coinductive relations are most 
useful in conjunction with infinite objects and corecursively defined functions. 

Definition 4.26. Let £ be a first-order signature. The first-order language over the signature £ 
is defined in the standard way, except that we additionally allow free relational variables (but 
not bound ones - quantification is only over individuals). We use the symbol = to denote 
syntactic identity of terms and formulas. 

A sentence is a formula without free variables (relational or individual). Given a El- 
structure A and a sentence p, we write A |= ip if p is true in A. If A is clear or irrelevant, we 
sometimes simply say that p holds. 

Since we will usually work with a fixed structure A, to save on notation we often confuse 
function and relation symbols in the language with corresponding functions and relations on A. 
We will also often confuse a structure A with its carrier set. Moreover, we usually implicitly 
assume that in the signature £ there is a corresponding constant (i.e. a nullary function symbol) 
for every element of A. 

If £ C £' and A is a £-structure, then a £ 7 -expansion of A is a E'-structure A' with the 
same carrier set and the same interpretation of symbols from E as A. 

We write p = p(x,X) = p(x i,... ,x n ,X \,..., X m ) for a formula with all free individual 
variables among x\,...,x n , and all free relational variables among X \,..., X m . We then write 
p(t \,..., t n , R \,..., R rn ) to denote p with each Xj substituted with the term A, and each X, 
substituted with the relation symbol Ri. 

A formula p is in prenex normal form if p = V xl 3 yi V X2 3 y2 ... where if is quantifier- 

free. It is a standard result in elementary logic that any first order formula may be effectively 

14 We again implicitly use Lemma 14.121 and Theorem 14. 131 
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translated into an equivalent formula in prenex normal form. A formula <p is universal if it is 
equivalent to a formula V X1 V X . 2 .. . V Xn ^ with if quantifier-free. A formula tp is standard if it is 
equivalent to a conjunction of formulas of the fori 1 0 

Vxj • ■ • V Xjl ..., x n , Xi ,..., X m ) > Xi 1 (ti ,..., t ni ) A ... A Xi k (t ±,..., t nk )'j 

where if is quantifier-free. 

We will give a general method for showing by coinduction, for an arbitrary structure A, that 
A |= ..., R n ) where R\, ..., R n are some coinductive relations, and <p is, in principle, an 

arbitrary formula. First, we need to precisely define what a coinductive relation is. 

Definition 4.27. Let A be a set. An n-ary relation R C A n is a coinductive relation if it is 
the greatest hxpoint of some monotone endofunction F : T(A n ) — y V(A n ). Since V(A n ) is a 
complete lattice, for any monotone endofunction F : V(A n ) — y V{A n ) there exists an associated 
coinductive relation R = vF, and it is the limit of the final sequence of F. The final sequence of 
an endofunction for a coinductive relation R will be denoted by ( R a ) a ■ The a-th element R a of 
the final sequence is called the approximant of R at stage a. If (aq,..., x n ) £ R then we say that 
R(x i,..., x n ) (holds). If R a (x i,..., x n ) then we say that R(x i,..., x n ) (holds) at (stage) a. 

Note that the approximants R a of a coinductive relation R depend on the endofunction F 
of which R is the greatest fixpoint, i.e., they depend on a particular definition of R, not on the 
relation R itself. 


Example 4.28. We define a set of coterms T by the cogrammar 

T :: = V || A(T) || B(T,T) 


where V is a countable set of variables, and A, B are constructors. By x, y,... we denote 
variables, and by t, s,... we denote coterms (i.e. elements of T). 

We define a coinductive relation — y C T x T by a set of coinductive rules: 


t —y t r 


t —y t r 


t -y t' 


x —y x 


(!) A(t) -)• A{t') (2) B(s,t) —y B(s', t') A(t) -»■ B(t',t') (4) 


Formally, the relation —y is the greatest fixpoint of a monotone F : V(T x T) —y V(T x T) 
dehned by 


F(R) = {{ti,t 2 ) | 3 xeV (h = t 2 = x)\J 3 M / eT (ti = A(t) M 2 = B(t',t') A R(t, t')) V ...} . 

It is always straightforward to convert rules of the above form into an appropriate monotone 
endofunction (provided the rules actually are monotone). We shall always leave this conversion 
implicit. 

Alternatively, using the Knaster-Tarski fixpoint theorem, the relation —y may be character¬ 
ized as the greatest binary relation on T (i.e. the greatest subset of T x T w.r.t. set inclusion) 
such that —y C F(—y), i.e., such that for every t\,t 2 € T with t\ —y t 2 one of the following holds: 

1. t\ = t 2 = x for some variable x £ V, 

2. 1 1 = A(t), t 2 = A(t') with t —y t ', 

3. t\ = B(s,t), t ‘2 = B{s',t') with s —y s' and t —y t', 

4. t\ = A(t), t 2 = B(t',t') with t —y t'. 

lo The individual variables xi,... ,x n may of course occur in the terms tj. 


34 











Yet another way to think about —>■ is that t\ —>■ t -2 holds iff there exists a potentially infinite 
derivation tree of t\ —> t ,2 built using the rules (1) — (4). 

The rules (1) — (4) could also be interpreted inductively to yield the least fixpoint of F. This 
is the conventional interpretation, and it is indicated with single line in each rule separating 
premises from the conclusion. A coinductive interpretation is indicated with double lines. 

It is instructive to note that the coinductive rules may also be interpreted as giving (ordinary) 
rules for approximants at each successor ordinal stage a + 1. 

.. |. _ t —} t! at ol _ \ s —^ s f at ol t —y t r at ol /o\ 

x —> x at « + 1 Aft) —> Aft!) at a + 1 B(s,t) —>• B(s', t') at a + 1 

_ t —t t at ex _ / a \ 

Aft) —> Bft!, t') at a + 1 

This follows directly from the way F and the approximants are defined. We will often use this 
observation implicitly. 

Usually, the closure ordinal for the definition of a coinductive relation is oj. In general, 
however, it is not difficult to come up with a coinductive definition whose closure ordinal is 
greater than oj. For instance, consider the relation R C N U {oo} defined coinductively by the 
following two rules. 

R(n) n G N 3n G N .R(n) 

R(n + 1) R( oo) 

We have R = 0, R n = {m G N | m > n} U {oo} for n G N, R u = {oo}, and only RP +1 = 0. 
Thus the closure ordinal of this definition is oo + 1. □ 

The following simple but important theorem states the coinduction principle. 

Theorem 4.29 (Coinduction principle). Let E be a first-order signature, (p(Xa 
standard formula over E, and A a Y,-structure. Let R±,... ,R m be coinductive relations on A, 
with arities matching the arities of X i,..., X rn . Suppose the coinductive step holds: 

• for every ordinal a, if A \= (p{Rf ,..., Rf n ) then A \= ip(Rf +1 ,..., Rffif 1 ). 

Then A |= ^{Rf ,..., Rff) for every ordinal a. In particular, A \= ip(Ri ,..., R m ). 

Proof. By transfinite induction on a we show A )= <p(Rf,..., . For a = 0 this follows 

from the fact that is standard and each R® is a full relation, i.e., R® = A k for some k > 0. 
For a a successor ordinal this follows from the coinductive step. So assume a is a limit ordinal. 
Since ip is a universal formula, it is equivalent to a formula \/ Xl ... with quantifier-free 
in disjunctive normal form. So if = V ... V ifi- with each disjunct V’i a conjunction of literals. 
We need to show that for all a \,..., a n G A we have A |= V’fai)..., a n , Rf ,..., Rffi). 

Let oi,,.., a n G A. Let (3 < a. Then A |= ip(R ®,..., Rm), so A |= ..., a n , R f,..., Rm). 

Hence A |= ..., a n , R ^,..., Rm) for some 1 < i < k. Since the number k of disjuncts is 

finite, there must be 1 < i < k with A [= iffiai, ..., a n , R±, ..., Rm) for arbitrarily large ft < a, 
i.e., for every 7 < a there is 7 < fi < a with A (= ipi(a\, ..., a n , R^ ,..., Rm)- 

Assume ifi = 9\ A ... A 9 r with each 9j a literal. Thus A |= 6j(a\,..., a n , /?.'f,..., Rm) for 
arbitrarily large ft < a, for j = 1,..., r. It suffices to show 

A |= 0j(ai,... ,a n ,Rf ,... ,i?" ) 

for every 1 < j < r. Let 1 < j < r. 


35 



If 9j(ai ,..., a n , Xi ,..., X m ) = 9j(a ±,..., a n ), i.e., 9j does not depend on the relational vari¬ 
ables Xi ,..., X m , then A |= 9j(a \,..., a n , Rf ,..., ), because A \= 9j(ai ,..., a n , R ±,..., Rm) 

for some (3 < a, i.e., A j= 9j(a \,..., a n ). 

Now assume 9j(ai, ..., a n , X\, ..., X m ) = ~<X p (ti, ..., t q ). Then A |= -iR p (ti, ..., t q ) for 
some (3 < a. We have R p = C\/ 3 < a ^p because a is a limit ordinal (recall the definition of the 
final sequence in Definition 13.11) . Hence A R p (ti,... ,t q ), and thus A |= -<R p (ti,... ,t q ), i.e., 
A 1= 9j(ai, ...,a n ,R?,... ,R% 1 ). 

So finally assume 9j(a \,..., a n , X \,..., X m ) = X p (ti ,... , t q ). Then A \= R p (t\,... ,t q ) for 
arbitrarily large (3 < a. By Lemma lT2l if A |= R p {t \,... ,t q ) then A |= R p (ti ,..., t q ) for all 
7 < (3. Thus in fact A |= R p (t i,... ,t q ) for all /3 < a, i.e., A |= P|^<q -Rp- Since R p = C\p <a R P , 
we have A |= R p {t \,..., t q ). Hence A \= 9j(a \,..., a n , i?“,..., R%). □ 

Example 4.30. Let T be the set of coterms, and —> the coinductive relation, from Example l4.281 
We show by coinduction that for arbitrary t G T we have t —> t. For the coinductive step, assume 
the coinductive hypothesis (CH), i.e., that for f3 < a: for all t € T we have t —>• t at stage f3. 
Consider possible forms of t. If t = x € V, then t —>■ t at a + 1 by rule (1). If t = A(t') then 
t' —> t' at a by the CH, so t = A(t') —> A{t') = t at a + 1 by rule (2). If t = B(ti,t 2 ) then 
t\ —>■ ti at a and t 2 —> t 2 at a by the CH, so t —> t at a + 1 by rule (3). Therefore, for all f € T 
we have f —>• t at a + 1, which shows the coinductive step. 

The correctness of the above reasoning relies on Theorem 14.291 The signature E and the 
structure A are left implicit. For every function and relation on T that we use in the proof there 
is a corresponding symbol in E. The structure A has the set T as its carrier, and the expected 
interpretation of all symbols from E (as the corresponding actual functions and relations on T). 

Usually, we do not get into so much detail when doing coinductive proofs. The ordinal 
stages are also left implicit, unless they occur in the statement we ultimately want to show or 
the argument that the stage increases is not completely trivial. Below we give the proof again 
in a style which we adopt from now on. 

We show by coinduction that if t € T then t —» t. If t = x then this follows by rule (1). If 
t = A(t') then t' —> t' by the CH, so t —> t by rule (2). If t = B(t\,t 2 ) then t\ —> t\ and t 2 —> £2 
by the CH, so t —> t by rule (3). □ 

When doing a proof by coinduction one must be careful to ensure that the implicit stages 
actually do increase. The most common way to ensure this is to immediately provide the 
conclusion of the coinductive hypothesis as a premise of some coinductive rule, since applying a 
rule increases the stage. Note that R a C R 19 for /3 < a, by Lemma 13.21 This has the important 
practical consequence that we do not have to worrj0 to increase the stage by exactly one, as 
it would at first sight seem necessary from the statement of Theorem 14.291 We may increase 
it by an arbitrary n > 0, and the proof is still correct. In particular, it is harmless to apply 
rules repeatedly a positive number of times to a conclusion of the coinductive hypothesis, e.g., to 
conclude R(x) (at a) by the CH, then to conclude R(s(x)) (at a +1) by some rule (r) with R(x) 
(at a) as a premise, then conclude R(s(s(x))) (at a + 2, so also at a + 1 by Lemma I3.2p by 
rule (r) with R(s(x)) (at a + 1) as a premise, finishing the proof of the coinductive step. 

In general, Lemma 13.21 implies that we may always decrease the stage of a coinductive 
relation. But to increase it we need to apply at least one rule. 

Note that because we are usually just interested in showing properties of some coinductive 
relations on certain sets, we have some freedom in choosing the signature E and the structure A 
in Theorem 14.291 as well as the actual formula (p we want to prove. Hence the restriction 

16 As long as we are showing a statement with only positive occurences of the coinductive relations for which 
we (implicitly) track the stages. 
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on tp in Theorem 14.291 to standard formulas is less limiting than it might at first seem. For 
instance, suppose <p(X) = Mx((Myijj(x, y)) —>■ X(f(x))), i.e., X does not occur in Y- We are 
interested in showing A (= <p(R) for some structure A and a coinductive relation R. One 
cannot apply Theorem 14.291 directly to <p because of the negative occurence of the univeral 
quantifier My (the prenex normal of cp has an existential quantifier). However, one may add a 
new unary relation symbol r to the signature, interpreted in an expansion A' of A by the relation 
{a € A | A |= Myijj(a : y)}. Then A j= <p(R) iff A' |= Mx(r(x) — > R(f(x))). In practice, we thus 
do not need to worry about negative (resp. positive) occurences of universal (resp. existential) 
quantifiers which do not have any relational variables within their scope. 

Example 4.31. On coterms from T (from Example l4.28l) we define the operation of substitution 
by guarded corecursion. 


y[t/x\ 
x[t/x\ 
( A{s))[t/x} 
(B(s 1 ,s 2 ))[t/x] 


y if X ^ y 
t 

A(s[t/x ]) 
B(s 1 [t/x\,s 2 [t/x]) 


We show by coinduction: if s —> s' and t —> t' then s[t/x] —> s'[t'/x\, where —> is the relation 
from Example 14.281 Formally, the statement we show is: for s,s',t,t' € T, if s —> s' and t t' 
then s[t/x\ —> s'[t'/x\ at a. So we do not track the stages in the antecedent of the implication, 
as this is not necessary for the proof to go through. It is somewhat arbitrary how to choose 
the occurences of coinductive relations for which we track the stages. Generally, tracking stages 
for negative occurences makes the proof harder, while tracking them for positive occurences 
makes it easier. So we adopt the convention of tracking the stages only for positive occurences 
of coinductive relations, and leave this choice implicit. 

Let us proceed with the proof. The proof is by coinduction with case analysis on s —> s'. If 
s = s' = y with y x, then s[t/x\ = y = s'[t'/x\. If s = s' = x then s[t/x\ = t —>• t' = s'[t'/x\ 
(at a + 1 - we implicitly use Lemma I3l2l herel. If s = A(si), s' = A(s\ ) and si —> s), then 
s\[t/x\ —> s’-^t'/x\ by the CH. Thus s[t/x\ = A(s\[t/x\) —^ ^(s^tYx]) = s'[t'/x\ by rule (2). 
If s = B(si,s 2 ), s' = B^^^) then the proof is analogous. If s = A(si), s' = B (s), s) ) and 
si —> s\ , then the proof is also similar. Indeed, by the CH we have s\[t/x] —>• s'^t'/x], so 
s[t/x\ = A(si[t/x\) —>• B(s' 1 [t'/x\, s'^t'/x]) = s'[t'/x\ by rule (4). □ 

Let us reiterate the convention introduced in the above example. 


Important convention. Unless explicitly stated otherwise, we track the stages only for pos¬ 
itive occurences of coinductive relations, i.e., we do not treat negative occurences as relational 
variables in the formula we feed to Theorem 14.291 For instance, let f : T —>■ T, let R C T 
be a coinductive relation, and suppose we want to show that for all x € T such that R(x) we 
have R(f(x)). Then by default we take p(X ) = M x& t-R(x) —> X(f(x)) to be the formula used 
with Theorem 14.291 To override this convention one may mention the stages explicitly, e.g.: for 
all x € T such that R(x) at stage a we have R(f(x)) at stage a. Then the formula we take 
is tp(X) = M x& t-X(x) —>• X(f(x)). In conclusion, by default we track the stages of all positive 
occurences of coinductive relations, and only those negative occurences for which the stage is 
explicitly mentioned. 

Definition 4.32. Let S be a many-sorted algebraic signature, as in Definition 14.141 Let T = 
T(S). Define on T a binary relation = of bisimilarity by the coinductive rules 

£l — ^1 • • • In — S n 

f (ti, . . . ,tn) = f(si,...,S n ) 
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for each / G 'Ef. 

It is intuitively obvious that on coterms bisimilary is the same as identity. The following 
easy theorem makes this precise. 

Theorem 4.33. For t,s G T we have: t = s iff t = s. 

Proof. Recall that each coterm is formally a function from N* to Ej U {_L}. 

Assume t = s. It suffices to show by induction of the length of p G N* that t\ p = S| p or 
t| p = S| p = _L, where by t\ p we denote the subterm of t at position p. For p = e this is obvious. 
Assume p = p'j. By the inductive hypothesis (IH), t| p / = S| p / or t\ p t = S| p / = _L. If t\ p t = S| p / 
then t| p / = /(to, ... , t n ) and s\ p * = /(so, • ■ ■, s n ) for some / G Ej with tj = Sj for i = 0,..., n. If 
0 < j < n then t\ p = tj = Sj = S| p . Otherwise, if j > n or if t\ p i = S| p / = T, then t\ p = S| p = _L 
by the definition of coterms. 

For the other direction, we show by coinduction that for any t G T we have t = t. If t G T 
then t = f(t\,. .. ,t n ) for some / G Sj. By the CH we obtain t, = t{ for i = 1 ,n. Hence 
t = t by the rule for /. □ 


For coterms i,s G T, we shall theorefore use the notations t = s and t = s interchangeably, 
employing Theorem 14.331 implicitly. 

Example 4.34. Recall the coinductive definitions of zip and even from Section [4.21 


even(x : y : t) = x : even(t) 
zip(x:f,s) = x:zip(s,t) 

By coinduction we show 

zip(even(f), even(tl(f))) =t 

for any stream t G . 

Let t G AP. Then t = x : y : s for some x,y G A and s G A u . We have 


zip(even(f), even(tl(f))) 


zip(even(x : y : s), even(y : s)) 
zip(x : even(s), even(y : s)) 
x : zip(even (y : s), even(s)) 
x:y : s (by CH) 
t 


In the equality marked with (by CH) we use the coinductive hypothesis, and implicitly a bisim¬ 
ilarity rule from Definition 14.321 □ 

Theorem H. 291 gives a coinduction principle only for standard formulas. By the discussion just 
above Example 14.311 this essentially means that we cannot do coinductive proofs for formulas 
with some positive (resp. negative) occurences of existential (resp. universal) quantifiers which 
have some relational variables in their scope. However, even this is not so much of a restriction 
as it may seem, because any formula without free individual variables may be converted into 
Skolem normal form. 

Definition 4.35. Let tp = V Xl 3 yi ... V Xn 3 yn ip(xi,... ,x n ,yi,... ,y n ,X 1 ,... , X k ) be a formula 
over a signature S, with ^ quantifier-free. The Skolem normal form of (p is 

(fi = V X1 • • • n V>(xi, • • • ,x n ,fi(xi),f 2 {xi,x 2 ), • • .,fn(x 1 , • • • ,X n ),X-L, . . .,X k ) 

where fi, ■ ■ ■, f n are distinct new Skolem function symbols , i.e., f \,...,/„ ^ E. The signature 
= EU{/i,. is called a Skolem signature for (p. Thus p s is a formula over E 5 ) The 
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definition of Skolem normal form extends in a natural way to arbitrary formulas without free 
individual variables, by converting them into equivalent prenex normal form first. A Skolem 
expansion A s of a E-structure A wrt. cp is a E 5 -expansion of A. The functions interpreting 
Skolem function symbols in a Skolem expansion are called Skolem functions. 

Let A be a E-structure, and ip(X i,..., X n ) a formula over E. Let i?i, ..., R n be coinductive 
relations on A with matching arities. It is obvious that if there exists a Skolem expansion A s 
of A with A 5 |= ip s (Rf, ..., for all ordinals a, then A f= (p(Rf, ..., for all ordinals a. 

The method for showing by coinduction a formula <p(R\, ■ ■ ■ , R n ) with existential quantifiers 
occuring positively is to first convert <p into Skolem normal form ip s and find appropriate 
Skolem functions, and then show using Theorem 14. 291 that ip s (R \,..., R n ) is true in the Skolem 
expansion. Usually, it is convenient to define the required Skolem functions by corecursion, 
using methods from Section 14.11 


Example 4.36. Let T be the set of coterms and — x the binary relation from Example 14.281 We 
show: for all s, t, t' € T, if s —x t and s —x t' then there exists sTl with t —x s' and t' —x s'. So 
we need to find a Skolem function / :TxTxT->T which will allow us to prove: 

(*) if s —X t and s — X t' then t —X f(s, t, t') and t' —X f(s, t, t'). 

The rules for —x suggest a definition of /: 


/ (x,x,x) 
f(A(s),A(t),A(t')) 
f(A(s),A(t),B(t',t')) 
f(A(s),B(t,t),A(t')) 
f(A(s),B(t,t),B(t',t')) 
f(B{s i, s 2 ), B(ti,t 2 ), B(t[,t 2 )) 


A(f(s,t,t')) 

B(f(s,t,t'),f{s,t,t')) 

B(f(s,t,t'),f{s,t,t')) 

B(f(si,tl,t l l),f(s2,t2,t , 2)) 

some arbitrary coterm if none of the above matches 


The definition is guarded, so / is well-defined. 

We now proceed with a coinductive proof of (*). Assume s -X f and s —X t!. If s = t = t' = x 
then = x , and x —X x by rule (1). If s = A(si), t = A(U) and t! = A(t / 1 ) with 

si —X t\ and si —X t \, then by the CH t,\ —x /(si,ti,^i) and t\ —X f(s±, t\, We have 
f{s,t,t') = A(f(si,ti,t[)). Hence t = A(ti) -X f{s,t,t') and t = A(t[) -X f(s,t,t'), by 
rule (2). If s = B(si,s 2 ), t = B(t\,t 2 ) and t 1 = B(t\R' 2 ) 1 with si —X t\, sj —x t[. s 2 —X t 2 and 
s 2 —X t' 2 , then by the CH we have t\ —x t[ —X t 2 —X f(s 2 ,t 2 ,t 2 ) and 

t -2 -t f{s 2 ,t 2 ,t' 2 ). Hence t = B(t ly t 2 ) -X B(f(s 1 ,ti,t' 1 ),f(s 2 ,t 2 ,tf 2 )) = by rule (3). 

Analogously, t 1 —x f(s,t,t') by rule (3). Other cases are similar. 

Usually, it is inconvenient to invent Skolem functions beforehand, because definitions of the 
Skolem functions and the coinductive proof of the Skolem normal form are typically interdepen¬ 
dent. Therefore, we adopt a style of doing a proof by coinduction of a formula <p(Ri, ■ ■ ■, R m ) 
in prenex normal form with existential quantifiers. We intertwine mutually corecursive defini¬ 
tional of Skolem functions with a coinductive proof of the Skolem normal form tp s (Ri, ... , R rn ) . 
We pretend that the coinductive hypothesis is (p(Rf, ■ ■ ■, Rm)- Each element obtained from an 
existential quantifier in the coinductive hypothesis is interpreted as a corecursive invocation 
of the corresponding Skolem function. When later we exhibit an element to show an existen¬ 
tial subformula of </?(i?" +1 , ..., R m +1 ), we interpret this as the definition of the corresponding 
Skolem function in the case specified by the assumptions currently active in the proof. Note 

17 Section 14.11 directly deals only with corecursive definitions of single functions, but mutual corecursion may 
be easily handled by considering an appropriate function on tuples of elements. See also Example 14.451 and 
Definition 14.461 
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that this exhibited element may (or may not) depend on some elements obtained from existen¬ 
tial quantifiers in the coinductive hypothesis, i.e., the definition of the corresponding Skolern 
function may involve corecursive invocations of Skolern functions. 

To illustrate the style of doing coinductive proofs of formulas with existential quantifiers, we 
redo the proof done above. For illustrative purposes, we indicate the arguments of the Skolern 
function, i.e., we write s' stt , in place of f(s,t,t'). These subscripts s,t,t' are normally omitted. 

We show by coinduction that if s —> t and s —> t! then there exists s' € T with t —>• s' and 
t' s'. Assume s —> t and s —> t'. If s = t = t' = x then take s' xxx = x. If s = A(si), 
t = A(t\) and t' = A(t \) with si —> t\ and si —> t \, then by the CH we obtaiif^l s' si t t , with 

*1 “»• <!,*!,ti aIld A -*■ Autlfr HellCe 1 = AA ( S 'si,tl,tO ^ 1 = A (A) “»• A ( S ' S 1 M,tO' ^ 
rule (2). Thus we may take s' s 11 , = A (s' tlt ,)- If s = H(si, S 2 ), t = B(t\, t 2 ) and t! = B(t[, t' 2 ), 

with si — > ti, si —> t\ , s 2 —> t -2 and S 2 —> to, then by the CH we obtain s' . ., and s' . ., 

with ti -> s' sitit ,, t'l ->• t 2 ->• s' S2)t2)t , and t' 2 ->• < 2it2it , 2 - Hence t = #(ti,i 2 ) 

B ^ S 'si,tl,t^ S 's2,t2,tO by mle Anal °g° Usl yi t' S S2,t2,tO by rule ( 3 )‘ TllUS We may 

take s' , = H(s' , , s' , ,,). Other cases are similar. 

S,t,r y S2,t2,^2 y 

It is quite clear that the above proof, when interpreted in the way outlined before, implicitly 
defines the Skolern function /. Also, in each case a local prefix production function is implicitly 
defined. From Corollary 14.81 it follows that to justify the well-definedness of the implicit Skolern 
function it suffices to bound a local prefix production function for each case separately. If the 
definition is guarded in a given case, the well-definedness argument for this case is left implicit. 
Otherwise, a justification is needed. 

Note that for a coinductive proof to implicitly define a Skolern function, the elements exhib¬ 
ited for existential statements must not depend on the (implicit) stage a. In other words, the 
Skolern functions must be the same for all a. This is the reason why Theorem 14.291 does not 
generalize to arbitrary formulas in the first place. However, it is usually the case that there is 
no dependency on a, and thus the justification of this is typically left implicit. But the necessity 
of this requirement should be kept in mind. □ 

Example 4.37. We now give an example of an incorrect coinductive argument. Let —> and T 
be like in the previous example. Define —inductively by the rules (1) — (4) from Example 14.281 
We show: if s —> t and s —>• t' then there exists s' such that t —>• s' and t! —)•, s'. By inspecting 
the proof in the previous example one sees that it also works for the new statement. Simply, 
we need to change —> to —^ in certain places. The proof is still correct - we just no longer need 
to track stages for the occurences of —>• replaced by —»j. 

What is wrong with this argument? The modified coinductive step is indeed correct, but 
the formula we show is no longer standard, so Theorem 14.291 cannot be applied. Formally, we 
now show <p(—> a ) for each ordinal a, where <p(X) = Vs,t,t' € T.3s' £ T.(s —>• t A s —> t') —>• 
(. X(t,s') A t' —>i s’) and —» 01 is the approximant of —> at stage a. In fact, tp (—>°) is false - 
e.g. if t' is infinite then there is no s' such that t' — s'. □ 


We finish this section with a complex example of a proof of the diamond property of a 
certain relation on infinitary e-lambda-terms. 

Definition 4.38. The binary relation —>1 on infinitary e-lambda-terms A from Example 14.251 
is defined by the following coinductive rules. 

s —f | s' t —f | t' s —^ ] s' s —^ 1 s' t —f \ t' 

x ->1 x (-*-) st — >1 s't' A x.s —Ax.s' (A x.s)t — >1 e(s'[t'/x]) 

18 More precisely: by corecursively applying the Skolern function to Si, ii. t\ we obtain s' B ^ tl t /, and by the 
coinductive hypothesis we have ti —> ti t , and tj —> ti t , . 
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e(t) ->-i e(t') ^ ^ 

Lemma 4.39. For t £ A we have t —+ t. 

Proof. Coinduction. If t = x then t —+ t by rule (1). If t = t\t 2 then t\ — t\ and t 2 —+ t 2 by 
the CH. Thus t —+ t by rule (2). Other cases are analogous. □ 

Lemma 4.40. If y £ FV(f) then s\[s 2 / y]\t / x\ = si[t/x\[s 2 [t/x\/y\. 

Proof. By coinduction, implicitly using Theorem l4.33l If si = y with x / y, then si[s 2 /y][t/x\ = 
S 2 [t/x\ = si[t/x][s 2 [t/x\/y\, because s\[t/x\ = y[t/x\ = y. If si = x then si[s 2 /y\[t/x\ = 
x[t/x\ = t = si[t/x] = si[t / x][s 2 [t / x\/y\, because y ^ FV(f). If si = u\u 2 then Ui[s 2 /y][t/x\ = 
Ui[t/x][s 2 [t/x\/y\ by the CH. Hence 

si[s 2 /y][t/x\ = (ui[s 2 /y][t/x])(u 2 [s 2 /y][t/x]) 

= (u 1 [t/x\[s 2 [t/x\/y\)(u 2 [t/x][s 2 [t/x\/y\) 

= si[t/x][s 2 [t/x]/y]. 

If si = A z.s[ witb0 z yl x,y then s' l [s 2 /y]\t/x\ = s' l [t/x\[s 2 [t/x\/y\ by the CH. Thus 

si[s 2 /y][t/x\ = Xz-s'^t/x^s^t/xj/y] = Xz.s'^t/xWs^t/xj/y] = si[t/x][s 2 [t/x\/y\. 

If si = e(si) then the proof is analogous. □ 

Lemma 4.41. If s —+ s' at a and t —+ t' at a then s[t/x\ —+ s'[t’/x] at a. 

Proof. We proceed by coinduction. Note that the coinductive hypothesis is: for all ordinals 
(3 < a, and all s,s',t,t' € A, x € V, if s —H s' at /3 and t —+ t' at /3 then s[t/x\ —>i s'[t'/x\ 
at f3. The statement that we need to show in the inductive step is: for all s, s', t, t' E A, x £ V, 
if s —>i s' at a + 1 and t —+ t' at a + 1 then s[t/x\ —+ s'[t'/x] at a + 1. 

So assume s —+ s' at a + 1 and t —+ t' at a + 1. If s = s' = x then s[t/x\ = t —+ t' = s'[t'/x\ 
at a + 1. If s = s' = y with x ^ y then s[t/x\ = y = s'[t'/x\, so s[f/x] — s'\t'/x] at a + 1 by 
Lemma[09j If s = S 1 S 2 and s' = s^s^ with si —+ s' x at a and s 2 —>1 s' 2 at a, then 20 ! s\[t/x\ —>1 
s^[i '/x\ at a and s 2 [t/x\ —>1 s' 2 [t'/x\ at a by the CH. Thus s[t/x\ = (si[t/x\)(s 2 [t/x\) —>1 
{s'i[t'/x])(ys' 2 [t'/x\) = s'[t'/x\ at a + 1 by rule (2). If s = Xy.s\, s' = A y.s[ and si —>1 s' x at a, 
then si[t/x\ —>1 s'Ji'/x] at a by the CH. Thus s[t/x\ = Xy.si[t/x\ —H A y.Si[t'/x\ = s'[t'/x} 
at a + 1 by rule (3). If s = (A?/.si)s 2 and s' = e^s'^s^/y}) with si —>1 s'i at a and s 2 —>1 s 2 
at a, then si[f/x] —»u s'^t'/x] at a and s 2 [t/x\ —>u s 2 [t'/x\ at a by the CH. By Lemma f4. 40 1 we 
have s'[t'/x\ = efVJs'g/t/^f'/x]) = e(s' 1 [t'/x][s 2 [t'/x\/y}). Thus s[t/x\ = (Xy.si[t/x})s 2 [t/x\ —>1 
e i s 'i[t'/x\[s' 2 [t'/x\/y}) = s'[t'/x\ at a + 1 by rule (4). Finally, if s = e(si), s' = e(s , 1 ) and si —K s' x 
at a, then s\[t/x] —>1 s'^t'/x\ at a by the CH. Thus s[t/x\ = e(si[t/x]) —+ e(s , 1 [t'/x]) = s'[t'/x} 
at a + 1 by rule (5). □ 

Proposition 4.42. If s —+ t and s —+ t’ then there exists s' with t —+ s' and t' —>-i s'. 

Proof. By coinduction. Ifs = f = f = x then take s' = x. If s = S 1 S 2 , t = t\t 2 and t' = t\t,' 2 
with Si —>1 ti and Sj —)-i t[, then by the CH we obtain s' x and S 2 with fj —>1 s[ and t\ —>1 s\. 
Thus t\t 2 —>-i s^s^ and t\t 2 —+ s' s' 2 by rule (2), and we may take s' = s' s' 2 ■ 

If s = (Ax.si)s 2 , t = (Xx.ti)t 2 and t' = e(t'i [t' 2 /x]) with s* —>-i ti and Si -^1 t', then by 
the CH we obtain s' x and S 2 with ti —+ s' at a and t\ —>1 s' at a. We have t = (Xx.ti)t 2 —ti 

19 Recall that we assume bound variables to be distinct from the free ones. 

20 Recall that t —>1 t' at a + 1 implies t —a t' at a, by Lemma 13.21 


41 











e ( s i[ s 2 / x ]) at a + 1 by rule (4). By Lemma T4.41I we have t\ [t' 2 /x\ — >1 s' l {s' 2 /x\ at a , so t' = 
— >-i (-{s'^s^/x]) at a + 1 by rule (5). Therefore take s' = ^{s'^s^/x]). It remains to 
justify the well-definedness of the implicit Skolem function in this case - note that its definition 
is not guarded because we apply the substitution operation to results of corecursive invocations 
However, a local prefix production function for this case is £(n, m) = rj subst (n, m) + 1 = 
min(n, m ) + 1 > min(n, m) and well-definednes follows. 

Assume s = (Ax.si)s2, t = e{t\[t 2 /x]) and t' = e(t'i[t 2 /x]) with s,; — ti and Sj — t'^ 
By the CH we obtain with ti — s[ at a and t\ — s[ at a. By Lemma 14.411 we have 
ti \p 2 /x\ — s'][s' 2 /x\ at a and s'][s' 2 /x\ at a. Thus t = e{t\[t 2 /x]) — e(s']\s 2 /x\) 

at a + \ and t! = e(t\ [t' 2 /x]) —>-i e(s , i[s 2 / x D a I « + by r ule (5). Therefore take s' = e(s\ [s 2 /x]). 
A local prefix production function for this case is £(n, m) = r/ subst (n, m) + 1 = min(n, m) + 1 > 
min(n, m), which implies well-definedness. 

Other cases are similar and left to the reader. □ 


Note that the two last cases considered in the proof above would not go through if rule (4) 
was simply 

S —H s' t —> | t' 


(A X.s)t —)•! s'[t' /x\ 


4.4 Nested induction and coinduction 

It is often useful to mix coinduction with induction, or to nest coinductive definitions. For 
instance, the definition from [29] of infmitary reduction of arbitrary ordinal length in infinitary 
term rewriting systems uses mixed induction-coinduction. Some other examples may be found 
in [231 EH El. In this section we give a few example proofs and definitions which nest induction 
and/or coinduction. 

Example 4.43. Define the set T coinductively: 

T :: = AT || BT 

For X C T, we define the relation R(X) C T coinductively. 

t € X t £ R(X) 

At € R(X) Bt € R(X) 

For X C T, the relation S(X) C T is defined inductively. 

t € S(X) t £ X 

At £ S(X) Bt £ S{X) 

Both R and S are monotone in X, i.e., AC Y implies R( X) C R(Y ) and 5(A) C S(Y). Hence, 
the following definitions of Qi,Q2 C T make sense. 

t £ S(Qi) t £ Qi 
At G Qi Bt G Qi 

t £ Q2 t £ R{Q 2 ) 

At £ Q2 Bt £ Q2 

Intuitively, t £ Q\ means that t contains infinitely many B s, and t £ Q2 means that t contains 
only finitely many As. 
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First, we show Q\ C S(Q i). Let t £ Q\. If t = At' then t' £ S(Qi), so At' £ S(Q i). If 
t = St' then t' £ Q\, so Bt' £ S(Qi). 

Now we show that if t £ Q 2 then t £ Q\. The proof proceeds by induction on the length 
of derivation of t £ Q 2 - Let t £ Q2- If t = At' then t 1 £ Q 2 , so t' £ Qi by the inductive 
hypothesis. Since Q\ C S(Q\) we have t = At' £ Q\. If t = At' then t' £ R(Q 2 ) where Q 2 is 
the set of s £ Q 2 with shorter derivations than t £ Q 2 . By nested coinduction we show that 
if t' £ R(Q ' 2 ) then t' £ Q\. This actually follows from the inductive hypothesis (which implies 
Q '2 ^ Qi)i the monotonicity of R, and R{Q\) C Q 1, but we give a direct proof. If t' = At" 
then t" £ Q' 2 . So t" £ Qi by the inductive hypothesis. Thus t" £ S(Q±) and t' = At" £ Q\. If 
t' = Bt" then t" £ R(Q' 2 ). By the coinductive hypothesis t" G Q\. Hence t' = Bt" £ Q\. □ 

Example 4.44. Let Q\ and T be as in the previous example. Consider the following corecursive 
definition of a function e : Q\ —>■ T which erases all Hs: 

e(At) = e(t) 
e(Bt) = B(e(t)) 

Formally, to make the definition of e consistent with our theory we should also specify e[t) for 
t £ T\Q 1, but in this case we may simply take e{t) to be an arbitrary element of T. 

One shows by induction that a function e : Q\ —> T satisfies the above equations if and only 
if it satisfies 

e(A... ABt) = B(e(t.)) 

where A occurs a finite number of times (possibly 0). But this definition of e is guarded, so we 
conclude that there exists a unique function e : Qi —>• T satisfying the original equations. □ 

Example 4.45. Define the set T of coterms coinductively: 

T :: = A(T) || B(T) || C(T) || D(T) || E(T) 

We define the relations —and —>2 by mutual coinduction. 



t —>2 s 

t —^x £ 

t —t 

A(t) —>1 C(s) 

B{t) ->1 D(s) 

t —>2 s 

t —s 

t —^x ^ 

C(t ) ->1 C(s) 

D(t) -+1 D(s) 

E(t) E(s) 


t —^x s 

t —>2 s 

t —>2 t 

A{t) —7-2 C(s) 

B(t) E(s) 

t —s 

t —>2 s 

t —^2 s 

C(t ) ^2 C(s) 

D(t) ->2 D(s) 

E(t) ->2 E(s) 


Intuitively, the reduction —changes A to C , and B either to D or E, starting with D and 
switching when encountering A or C. For instance 

B(B(A(B(C(B(B(t)))m ->1 D(D(C(E(C(D(D(t))m. 

Formally, the above rules define in an obvious way a monotone endofunction 
F : V(T x T) x V(T x T) -> V{T x T) x V(T x T) 
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such that (—7i,—7 2 ) is the greatest hxpoint of F. Sett ing F(X,Y) = (F\(X, Y), F 2 (X, Y)), by 
the Bekic principle (see e.g. [HI Lemma 1-4.2]) we have 21 ! 

-►1 = vX.F\ (X, vY.F 2 (X,Y)) 
y 2 = vY.FiiyX.F^X^Y). 

In other words, one may also think of —>1 as the greatest hxpoint of the monotone endofunction 
G : V{T x T) -> V(T x T) dehned by G(X) = F 1 (X,H(X)) where H(X) = vY.F 2 (X,Y ), 
i.e., vG is dehned by the coinductive rules for —>1 but instead of the premises t —>2 s we use 
(t,s) £ H(—> 1 ), and H(X) is dehned by the coinductive rules for —> 2 but with the premises 
t —>1 s replaced by (t, s) £ X. Analogous considerations apply to the definition of —» 2 . 

We shall now give an example by showing by coinduction that if t —>i t\ and t — t 2 then 
there is s with t\ —s and i 2 —>i s, for i = 1,2. The proof is rather straightforward. If t = t\ 
then we may take s = t 2 . If t = A(t'), t\ = C(t \) and t —»i ti, then also t 2 = C(t 2 ), t! —> 2 t\ 
and t' —>2 t' 2 . By the coinductive hypothesis we obtain s' such that t\ —7 2 s' and t' 2 —7 2 s'. 
Thus t\ = C{t\) —>1 C(s') and t 2 = C(t 2 ) —>1 C(s'), so we may take s = C(s'). Other cases are 
similar. 

Formally, in the above proof we show the statement: 

Wt,ti,t 2 £ T. 3si, s 2 £ T. ((t —>1 t\At —>1 t 2 ) =>■ (t\ —>1 si A t 2 —>1 si))A 

-t 2 fi A f t 2 ) (ti y 2 s 2 A t 2 -a 2 s 2 )) 

So, after skolemizing, we actually show 

Vt,ti,t 2 £ T. ((t —>1 t\ At —>1 t 2 ) =>• (t\ —>1 fi(t\,t 2 ) A t 2 —>1 fi(h,t 2 )))A 

((t —>2 tl At — >2 h) => (ti —7 2 f2(tl,t 2 ) A t 2 —*2 f2(tl,t 2 ))) 

for appropriate fi,f 2 : T xT —> T. The mutually corecursive definitions of fi and f 2 follow 
from the proof. Formally, we dehne a corecursive function / : T x T -A T x T such that 
f(t,s) = (fi(t,s), f 2 (t, s)) for t,s £ T. The cartesian product T xT may be treated as a 
set of coterms T v of a special sort p. Then the projections tt\ and 7 r 2 are destructors with a 
production function %(n) = max(0, n— 1). The pair-forming operator it : TxT -A F p , dehned by 
7 r(t, s) = (t, s), is then a constructor with a production function r/ c (n, m) = min(n, m) + 1. Thus 
formally we have for instance f(C(t),C(s )) = (C(TT 2 (f(t,s))),C(TTi(f(t,s)))). Hence, strictly 
speaking, the definition of / is not guarded, but it is easily seen to be correct nonetheless. Indeed, 
each clause of the definition of / has the form /(ci(t), c 2 (s)) = ( 03 ( 77 ,;(/(t, s))), c±{iTj(f(t, s)))), 
where ci,c 2 , 03,04 are constructors and i,j £ { 1 , 2 }, so the prefix production function is 

77 ( 71 , 771 ) = min(n — 1 + 1, m — 1 + 1) + 1 > min(77, m) 

The above example of mutually corecursive functions is generalized in the following. 

Definition 4.46. We say that functions /i,...,/„:S->Q are dehned by mutual corecursion 
from hj : S x Q m i —7 Q and gj : S -A S, and k? £ {1,..., n}, j = 1,..., n, i = 1,..., rrij , if for 
a function / : S —> Q n dehned by corecursion from 

\xy x • • • Vn-(hi{x, TT k i{yl), tt^i (y™ 1 )), • • •, h n (x, n k i (y£),... , n k ^n (y™ 71 ))) 
and g\ we have 

f( x ) = ()) 

for x £ S. We say that a dehnition by mutual corecursion is guarded if each hj is dehned by 
cases from some constructor-guarded functions. 

21 For monotone / we use the notation vx.f[x) to denote the greatest hxpoint of /. 
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It follows from our theory that a guarded mutually corecursive definition uniquely determines 
the functions /i,..., f n . In coinductive proofs, if the Skolem functions are defined by guarded 
mutual corecursion then their well-definedness justifications may be left implicit. 

5 Infinitary lambda-calculus 

In this section we use coinductive techniques to prove confluence of Bohm reduction in infinitary 
lambda-calculus, i.e., of infinitary /3_L-reduction where terms reduce to _L when they have no 
head normal form. We consider reductions on the set of all infinitary lambda-terms, not only 
on A 001 -terms like in [391138] . Though this is not a big difference, because all terms not present 
in A 001 reduce to _L anyway. The infinitary lambda-calculus we are concerned with, including 
the reductions to _L, shall be called the A^-calculus. 

The general idea of the proof is to show that for every term there exists a certain standard 
infinitary /3_L-reduction to normal form. This reduction is called an infinitary Wreduction. 
We show that the normal forms obtained through infinitary iV-reductions are unique. Then 
we show that any infinitary /3_L-reduction to normal form may be converted into an infinitary 
./V-reduction. In our proof we use a standardization result for infinitary ^-reductions from [32]. 
Even when counting in the results of [32] only referenced here, our confluence proof is simpler 
than previous proofs of related results. 

In Section [5T] we define infinitary lambda-terms and the various notions of infinitary reduc¬ 
tions. We also give a rigorous coinductive treatment of a-equivalence, justifying the usage of 
Barendregt’s variable convention in infinitary lambda-calculus. In Section f5.21 we prove conflu¬ 
ence and infinitary normalization of the AT]_-calculus. In Section 15.31 we generalize the proof 
from [32] to show that our coinductive definitions of infinitary reductions correspond to standard 
definitions of strongly convergent infinitary reductions. 

5.1 Definitions and basic properties 

Definition 5.1. The set of raw infinitary lambda-terms is defined coinductively: 

A£° :: = C || V || A“A£° || AE.A“ 

where V is an infinite set of variables and C is a set of constants such that V (1 (7 = 0. An 
atom is a variable or a constant. We use the symbols x, y, z, ... for variables, and c, c', ci,... 
for constants, and a, a', a\,... for atoms, and t,s ,... for terms. 

The relation free between variables and raw infinitary lambda-terms is defined inductively 
by the following rules. 

free(r,t) free(x,s) free(x,t) x^fiy 
free(x,®) free(x,ts) free(x,ts) free(x,A y.t) 

For t 6 we define FV(t) = {x € V | f ree(r, t)}. If T C Ajl 0 then we use the notation 
FV(T) = U ier FV(f). 

Note that if the set of variables V is countable, then it may be impossible to choose a “fresh” 
variable x ^ FV(£) for a term t £ A£°, because t may contain all variables free. This presents a 
difficulty when trying to precisely define substitution. See also [ TBl 147] . There are two ways of 
resolving this situation: 

1. assume that V is uncountable, 

2. consider only terms with finitely many free variables. 
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The proofs and definitions that follow are essentially the same for both solutions, so we will not 
explicitly commit to any of them. We just assume that a fresh variable not occuring free in a 
given finite set of terms may always be chosen. More precisely, we assume there is a function 
fresh : V(V) -» V such that if T is a finite set of terms then fresh(FV(T)) ^ FV(T). 

Our treatment of a-equivalence below is similar to the treatment of a-equivalence for finite 
lambda-terms in [7j. 

Definition 5.2. For a set X by idx we denote the relation {{x, x ) | x € T}. For R,S CVxV 
the relation R] S C V x V is defined by R; S = {(x, z) £ V x V | By £ V.R(x, y ) A S(y, z)}. The 
symmetric update of R C V x V with the pair ( x,y) £ V x V, denoted R(x,y), is a relation 
defined by R(x , y) = {(a, b) £ R \ a ^ x A b / y} U {(x, y)}. 

For R C V x V we define the relation coinductively by the following rules. 

__ (x,y)£R s=%£ t=*t' s =£<*■"> t 

c c x =% y st =% s't' A x.s A y.t 

The relation = a of alpha-equivalence is defined as =1 „ v . 

Let U be the set of partial functions a from V to such that dom(cr) is finite. If cr € U, 
x £ V and t £ A£° then by cr[t/x\ we denote the partial function a' £ U such that dom(V) = 
dom(u) U {x}, <j'(y) = a{y) for y ^ x, y £ dom(<r), and <j'(x) = t. We define the function 
subst : U x A£° —> A^° by guarded corecursion. 


subst(u, x) 
subst(cr, x) 
subst(cr, c) 
subst(cr, t±t 2 ) 
subst(u, A x.t) 


<t(x) if x £ dom(o-) 
x if x ^ dom(<7) 
c 

(subst(cr, fi))(subst(<r, t 2 )) 

At.subst(<r[t/x], t) where z = fresh(FV(cod(cr))) 


We write s[f/x] for subst({(x, t)}, s). 

Lemma 5.3. Let R, S CV x V and x, y £ V. 

1. (i?(x,2 /)) _1 = R- l (y,x). 

2. R(x, y); S(y, z) C (. R;S){x,z }. 

3. If R C S then R(x,y) C S(x,y). 

Proof. Follows from definitions. □ 

Lemma 5.4. If R C S and t t' at stage 7, then t if at stage 7. 

Proof. By coinduction, analysing the form of t. We need to use point 3 of Lemma 15.31 in the 
case for lambda. □ 


Lemma 5.5. Let R C V x V . 

1. If (x, x) £ R for x £ FV(£) then t =„ t. 

2. If t =a s then s =„ 1 t. 

3. If t =11 s and s r then t =a’ S r. 

Proof. 

1. By coinduction, analysing the form of t. 
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2. By coinduction, analysing the form of t. In the case for lambda we need to use point 1 of 
Lemma 15.31 

3. By coinduction, analysing the form of t. We show the case for lambda. So assume 

t = A x.t', s = Ay.s' and r = Xz.r 1 . Since t =„ s and s r, we must have t' =^ x,y ^ s ' 

and s' =a^ y,z ^ r'. By the coinductive hypothesis t' =a^’ y >’ ,S < 2 '’ 2 ) r' at stage 7 . Since 
R(x,y); S(y, z) C ( R;S)(x,z ) by point 2 of Lemma 15.31 we have t' r ’ a t ^ by 

Lemma EH Hence t = A x.t' =a’ S Xz.r' = z at 7 + 1. 

□ 


Corollary 5.6. The relation = a is an equivalence relation. 

Lemma 5.7. If t = a t' then FV(t) = FV(t'). 

Proof. By induction on the derivation of freest) one shows that if free(x,f) and t =„ t' 
then there is y £ V with free(y,f') and (x, y) £ R. □ 

Lemma 5.8. Assume t =„ t'. Suppose a, a' € 17 satisfy: 

1. FV(cod(fj)) = FV(cod(<r')), 

2. if (x,y) £ R then x £ domfu), y £ dom(cr') and a(x) = a cr'(y). 

Then subst(cr, t) = a subst (a',t'). 

Proof. By coinduction, with case analysis on i. If t = x then t’ = y with ( x , y) £ R, because 
t =a t'. Thus x £ dom(cr), y £ dom(a') and subst(cr, t) = a(x ) = Q a'(y) = subst(cr / , t’) 
by 2. If t = c then t' = c and subst (a,t) = c = subst(<r', t'), so subst(cr, t) = a subst(cr', t') 
by Lemma 15.51 If t = t\t 2 then t' = t^t'o with ti t\. Hence subst(cr, t{) = a subst(a', t'f) 
by the coinductive hypothesis. Thus subst(cr, t) = a subst (a 1 , t'). Finally, if t = Xx.s then 
t' = Xy.s' and s =^ x,y 'l s f Since FV(cod((r)) = FV(cod((J , )) by 1, we have subst(c, t) = 
Az.subst (cj[ t/x], s) and subst(a', t') = Az.subst(cr'[ 2 /y], s') where t = f resh(FV(cod(cr))). 
Note that 1 and 2 still hold with o[z/x\ and a'[z/y\ instead of a and a', and with R(x,y) 
instead of R. Hence, since s =^ x ' y ^ s ', by the coinductive hypothesis subst(a[t/x], s) = a 
subst (a'[z/y\, s'). Recall that = a is defined as = l ^ v . Because id= idy we thus have 
subst(c, f) = At.subst(o-[z/x], s) = a At.subst((j'[ 2 ;/y], s') = subst(cr, t'). □ 

Corollary 5.9. If t = a t' and s = a s' then s[t/x\ = a s'[t'/x\. 

The above allows us to identify a-equivalent terms. The set A°° of infinitary lambda-terms 
is defined as the set of equivalence classes of = a . In what follows we work with infinitary 
lambda-terms, not with raw infinitary lambda-terms. In other words, we consider terms up to 
renaming of bound variables. So now we write e.g. Xx.x = A y.y. By Corollary 15.91 substitution 
lifts to a function on infinitary lambda-terms. This is also trivially true for application and 
abstraction. We can thus use the variable convention like in [T3l 2.1.13]: if ti,..., t n occur in a 
certain mathematical context (e.g. definition, proof) then in these terms all bound variables are 
chosen to be different from the free ones. This allows us to work with infinitary lambda-terms 
in a naive way. 

Another way of dealing with renamings of bound variables is to use a de Bruijn representation 
of infinitary lambda-terms (defined analogously to de Bruijn representation of finite lambda- 
terms [25]) • This approach is perhaps better suited for a formalization, but less convenient for 
human readers. Yet another way is to define the set of infinitary lambda-terms as the final 
coalgebra of an appropriate functor in the category of nominal sets mm- 
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Definition 5.10. Let R C A°° x A°° be a binary relation on infinitary lambda-terms. The 
compatible closure of R, denoted —>r, is defined inductively by the following rules. 

(s,t) € R s —>r s' t —}r t' s —>r s' 

s t st —>r s't st -^-r st' A x.s —>•r Ax.s' 

If (t, s) € R then t is an R-redex. A term t € A°° is in R-normal form if there is no s € A°° with 
t —>•r s, or equivalently if it contains no i?-redexes. The parallel closure of R, denoted =>r, is 
defined coinductively by the following rules. 

(s,t) € R gj =>R ti s 2 t 2 s R s ' 

s =^r t a =^r a S\S 2 —Lr t\t 2 A x.s =>r A x.s' 

Let —»C A°° x A°°. By —we denote the transitive-reflexive closure of —and by —the 
reflexive closure of —K The infinitary closure of —K denoted —*-°°, is defined coinductively by 
the following rules. 

s —>•* a s ~*~* ^°° 1 ^ ^2 a —)•* Ax.r r —j>°° r' 

s —»°° a s —»°° t '^2 s —»°° Ax.r' 

Let Rp = {((Ax.s)t, s[t/x}) \ t, s E A 00 }. The relation —>p of (3-contraction is defined as 
the compatible closure of Rp. The relation —of (3-reduction is the transitive-reflexive closure 
of —> j g. The relation —>•“ of infinitary (3-reduction is defined as the infinitary closure of —tp. 
The relation —>• w of weak head contraction is defined inductively by the following rules. 

_ s —> w s' 

(A x.s)t —> w s[t/x\ st —> w s't 

The relation —is the transitive-reflexive closure of —t w . The relation —is the infinitary 
closure of —t w . 

The relation —>h of head contraction is defined by the following inductive rules. 

s —t w s' s —s' 

s —>h s' A x.s ->h Ax.s' 

The relations —and —iff are defined accordingly. In a term Axi.. .x n .{Ax.s)tt\ ... t m 
the subterm (A x.s)t is a head redex. So —>h may contract only a head redex. 

Let 1 be a constant. A A°°-term t is in head normal form (hnf) if t = Ax\ ... x m .at\ ... t n 
with m, n > 0 and a ^ _L. We say that t has head normal form if t —>*p t’ for some t' in hnf. In 
particular, _L has no hnf. 

Let R l = {(t. T) | t has no hnf and t ^ _L}. We define the relation —>p± of (3 _L -contraction 
as the compatible closure of Rp± = Rp U R±. A term t is in (3-L-normal form if it is in Rp±- 
norrnal form. The relation —**p±_ of (3 _L -reduction is the transitive-reflexive closure of —tp±. The 
relation —°f infinitary (3-L-reduction, or Bohm reduction , is the infinitary closure of —tp±. 
The relation =^j_ of parallel -L-reduction is the parallel closure of R±. 

The idea with the definition of the infinitary closure -t- 00 of a contraction relation —>• is that 
the depth at which a redex is contracted should tend to infinity. This is achieved by defining —*-°° 
in such a way that always after finitely many reduction steps the subsequent contractions may 
be performed only under a constructor. So the depth of the contracted redex always ultimately 
increases. The idea for the definition of —>-°° comes from [[32]. 

The following two simple lemmas will often be used implicitly. 
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Lemma 5.11. Let —be the infinitary and —>* the transitive-reflexive closure of —>. Then 
the following conditions hold for all t, s, s' £ A°°; 

1. t t, 

2. ift —»* s —>°° s' then t —>°° s', 

3. if t —>* s then t —>°° s. 

Proof. The first point follows by coinduction. The second point follows by case analysis on 
s —>°° s'. The last point follows from the previous two. □ 

Lemma 5.12. If R C S C A°° x A°° then — C —>^P. 

Proof. By coinduction. □ 

The next two lemmas have essentially been shown in [ 32l Lemma 4.3-4.4]. 

Lemma 5.13. If s —>■“ s' and t —>•“ t! then s[t/x\ —s'[t'/x\. 

Proof. By coinduction, with case analysis on s —y'jfl s', using that t,\ —>*p t ,2 implies t\[t/x\ —>p 
t2[t/x\. □ 

Lemma 5.14. If t\ —y'jfl t -2 —tp t% then t\ —>•“ 1 3 . 

Proof. Induction on t ,2 —tp t%, using Lemma 15.131 □ 

Lemma 5.15. If t\ ,t 2 £ A°° and t\ has no hnf, then neither does tifo/x]. 

Proof. We define the relation y x coinductively 

ui,...,un £ A°° t^ x t' s >- x s' t)~ x t! xfl^y 

t P x xu\ ... u n a)^ x a ts P x t's' Xy.t >- x Xy.t' 

In other words, s )^ x s' iff s' may be obtained from s by changing some arbitrary subterms in s 
into some terms having the form xu\... u n . It is easy to show by induction that 

(*) if t —^ s and t y x t', then there exists s' such that t' —tp s' and s P x s'. 

Note that if s P x s' and s is in hnf, then so is s'. 

Suppose ti[t 2 /x] s for some s in hnf. By the variable convention tflt^/x] >~ x t\. Hence 
by (*) there is s' such that t\ —s' and s >~ x s'. Since s is in hnf, so is s'. □ 

5.2 Confluence and normalization of Bohm reductions 

Our aim is to prove the following theorems. 

Theorem 15.401 (Confluence of the A^-calculus). 

Ift — t\ and t — t 2 then there exists £3 such that t\ — t% and t 2 —£ 3 . 

Theorem 15.411 (Normalization of the A^_-calculus). 

For every t £ A°° there exists a unique s £ A°° in f3L-normal form such that t — s - 

Actually, Theorem 15.401 follows from Theorem 15.411 but we show Theorem 15.401 first. Then 
we use Theorem 15.401 together with several lemmas to derive Theorem 15.411 
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5.2.1 Head reduction 

Theorem 5.16 (Endrullis, Polonsky [32]). 
t s iff t s - 

Corollary 5.17. t —s iff t — s. 

Proof. If t —>•“ s then t —>•“ s by Theorem 15.161 Then t —s, because u —v! implies 

u ~^* h vl. If t —»•“ s then obviously t —y™ s, because u ~^* h u' implies u —v!. □ 

Lemma 5.18. If t —s with s in hnf, then there is s' in hnf with t —s'. 

Proof. By Corollary 15.171 we have t —>•“ s. Since s is in hnf, s = Xy\ ... y n .as \... s m where 
a ^ _L. Then t ~^* h s' = Xyi ... y n .as\ ... s' m with s[ —s*. But s' is in hnf. □ 

Lemma 5.19. If t —t,\ and t —^ t 2 then there is t% with ff — t$ and t\ — ff. 

Proof. If the head redex in t is contracted in t —»?° t\ then t —^ t ,2 —>•“ t\ and we may take 

= 1 1 - Otherwise t = Ayi... y n .{Xx.s)uu\ ... u m , 0 = Xyi.. .y n .s[u/x]u\ .. .u m and t\ = 
Xy\ ... y n .{Xx.s')u'u'i... u' m with s s', u u' and Ui — v! i for i = 1,..., m. By Corol¬ 
lary [57TT] and Lemma f5.131 we obtain s[u/x\ — y'ff s'[u'/x\. Take = Xyi... y n .s'[u'/x\u'i... u' m . 
Then ff —ts and t\ — ff. □ 

Lemma 5.20. If t —s and t has a hnf, then so does s. 

Proof. Suppose t has a hnf. Then by Lemma 15.181 there is t' in hnf with t — tl. By Corol¬ 
lary [5d7] and Lemma 15.191 there is r with s —>•£ r and t' —>•“ r. Since t' is in hnf, so must be r. 
Hence s has a hnf r. □ 

Lemma 5.21. If t —>■£ s\ and t —>* h s 2 , and si, s 2 are in hnf, then si = 32- 

Proof . By induction on the length of t —¥* h s\. If t = si then si — s 2 , which is only possible 
when si = s 2 , because si is in hnf. Otherwise t —>h t' — s\. Then either t —t' ~^* h S 2 or 
t = s 2 , because head redexes are unique if they exist. If t t' —^ s 2 then si = s 2 by the 
inductive hypothesis. If t = S 2 —>•* si then also si = S 2 because s 2 is in hnf. □ 

5.2.2 Properties of parallel _L-reduction 

Lemma 5.22. If s =4>x s' and t =^_j_ t' then s[t/x] =^j_ s'[t'/x\. 

Proof. Coinduction with case analysis on s =>j_ s', using Lemma 15.151 □ 

Lemma 5.23. If t =>x s then t — s. 

Proof. By coinduction. □ 

Lemma 5.24. If t has no hnf and s =>x t, then neither does s. 

Proof. We write t\ £2 if £2 may be obtained from t\ by replacing some subterms of t\ having 
no hnf with some terms of the form _Lui... u^. Using Lemma 15.151 one shows by induction 

(★) if u —>*p v! and u r then there is r' with u' ^x r' and r —r'. 

Now suppose s —s' = Axi ... x m .as\ ... s n with a ^ _L. Then by (★) there is t' with s' ^x t' 
and t —t'. Since A Xj... x m .as \... s n is in hnf for each i = l,...,m + l, this is only possible 
when t' = Axi... x m .ati... t n with s* ^x U for i = 1,..., n. But then t has hnf t'. □ 

Lemma 5.25. If t\ t 2 =>x ^3 then t\ ^3- 

Proof. Coinduction with case analysis on t 2 =^x ^ 3 , using Lemma 15.241 □ 
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5.2.3 Postponement of parallel _L-reduction 

Lemma 5.26. If t\ =>x £2 £ 3 then there exists t\ such that t\ —tp t\ =>x 1 3. 

Proof. Induction on t 2 —*p £3. The only interesting case is when t 2 = (Xx.s\)s 2 and £3 = 
s\[s 2 /x\. Then t\ = {Xx.u\)u 2 with m =^_l s*. By Lemma 15.221 u\[u 2 /x\ =>x s\[s 2 /x\. Thus 
take t\ = ui[u 2 /x]. □ 

Lemma 5.27. If s —t then there exists r such that s r t. 

Proof. Induction on the length of s 8 gj_ t. using Lemma 15.261 and Lemma 15.251 □ 

Corollary 5.28. If t\ =>x £2 ~^*p± £3 then there is s with t\ —Lg s =>x 1 3 . 

Proof. Follows from Lemmas 15.27115.26115.251 □ 

Lemma 5.29. If t± =>x £2 — £3 then t\ — £3. 

Proof. By coinduction. There are three cases. 

• £3 = 0 . Then £1 =^j_ £2 ~^*p± «• By Corollary 15.281 there is s with £1 —^ s =>x By 
Lemma 15.231 we have s —y'jff a. Thus £1 —>^ ± a. 

• £3 = S 1 S 2 . Then £1 =>x £2 ~^*p± s 'i s 2 with s [ — s *- By Corollary 15.281 there is u with 
£1 —>*p u =^x s^S 2 - Then u = U 1 U 2 with Ui =>x s'- —»gP|_ s t . By the coinductive hypothesis 
u i ->pj_ ■Si■ Thus £1 sis 2 = £ 3 - 

• £3 = Xx.r. The argument is analogous to the previous case. 

□ 


Theorem 5.30 (Postponement of parallel T-reduction). 

If s —£ then there exists r such that s —>•“ r =^x £■ 

Proof. By coinduction with case analysis on s —£, using Lemmas 15.27115.291 □ 

Corollary 5.31. If s has no hnf and t —s then t has no hnf. 

Proof. Suppose £ has a hnf. By Theorem 15.301 there is s' with £ — y™ s' and s' =>j_ s. By 
Lemma 15.201 s' has a hnf. But because s has no hnf, by Lemma 15.241 neither does s'. Contra¬ 
diction. □ 

Lemma 5.32. If t —»gP|_ t' =>j_ s then £ —»g?|_ s. 

Proof. By coinduction, analysing t' =^j_ s. All cases follow directly from the coinductive hy¬ 
pothesis, except when s = _L and t’ has no hnf. But then £ has no hnf by Corollary 15.311 so 
£ =>j_ s, and thus £ —>-gj_ s by Lemma 15.231 □ 

Corollary 5.33. If t —>^ ± s —^ r then t —»g°|_ r. 

Proof. By Theorem 15.301 we have £ — t' =^x s —r. By Lemma 15.261 there is s' with 
t' — s' =^x r - By Lemma 15.141 we have £ — s', and thus £ — s '- By Lemma [5.321 we finally 
obtain £ — r. □ 

Corollary 5.34. If t —Ayi... y n .a£i ... t m with a ^ _L then there exist t [,..., t' m such that 
t'i ~^f ± U and t -+* h Xyi... y n .at\ ... t' m . 

Proof. By Theorem 15.301 there is s with £ —s =>± Xy\ ... y n -at\... t m . Since a ^ T, we have 
s = Xy\ ... y n .as\... s m with s l =4>x £?;■ By Corollary 15.171 we have £ —yff s. It follows directly 
from the definition of —»•“ that £ — y* h Xy\.. .y n .at' x .. .t' m with t\ —yff Sj, so t\ —»g°|_ s*. By 
Theorem 15.301 and Lemma 15.251 there are u±,... ,u m with t[ —>•“ Ui =>x ti- Thus t\ —ti by 
Lemma 15.321 □ 
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5.2.4 Infinitary IV-reduction 

In the A^|_-calculus every term has a unique normal form. This normal form may be obtained 
through an infinitary IV-reduction, defined below. 

Definition 5.35. The relation —is defined coinductively. 

t Axi.. .x n .ati .. .t m tj ->•” t[ for i = 1 ,... ,m a# _L t hag no hnf 
t —>•“ Axi... x n .at[ ... t' m t —>•“ T 

Lemma 5.36. If t —s then t — s. 

Proof. By coinduction. □ 

Lemma 5.37. For every term t £ A°° there is s with t —>•“ s. 

Proof. By coinduction. If t has no hnf then t —T and we may take s = T. Otherwise 
t ~^* h Aaq... x n .at\... t m with a ^ _L, by Lemma 15.181 By the coinductive hypothesis we obtain 
si,... ,s m with ti —Si for i = 1,..., rn. Thus t —>•“ s for s = Xx\ ... x n .as\... s m . □ 

Lemma 5.38. If t —si and t — S 2 then s\ = S 2 - 

Proof. By coinduction. If si = T then t has no hnf, so we must also have S 2 = T. Otherwise 
si = Ayi... y n .au[ ... u' m , a ^ T, t -^* h u = Xyi ... y n .aui ...u m and ->■“ vl t for * = 1 ,..., m. 
Since t has a hnf, we have S 2 ^ T. Hence s 2 = Xyi ■ ■ .yj.a'w[ .. .w' k , a 1 ^ T, t ~^r* h w = 
Xyi... yj.a'wi.. .Wk and Wi — w\ for I = 1 ,..., k. Since u and w are in hnf, u = w by 
Lemma T5.211 Hence Ui —>•“ u[ and U{ —w[ for i = 1 ,... ,m. By the coinductive hypothesis 
u[ = w\ for i = 1 ,..., m. Hence s\ = Ayi... y n .au[ ... u' m = Xyi... y n .aw[ ... w' m = s 2 . □ 

Lemma 5.39. If t —ti —>•“ s then t —>■“ s. 

Proof. By coinduction. If s = T then t' has no hnf. By Corollary 15.311 neither does t. Hence 
t —>•“ T = s. If s ^ T then s = Ayi ... yn-as^ ... s' m , a ^ T and tl t" = Ayi... y n .asi ... s m 
with Si —>•“ s'. Since t —tl I", by Corollary 15.331 we have t — t By Corollary 15.341 
there are t \,..., t m with ti —s, —s' for i = 1,..., m, and t —^ Xyi ... y n .ati... t m . By 
the coinductive hypothesis ti — s£ for i = 1,..., m. Thus t —>•“ Ayi ... y n .as'i ... s' m = s. □ 

5.2.5 Confluence and normalization 

Theorem 5.40 (Confluence of the A^-calculus). 

If t —ti and t — t 2 then there exists £3 such that ti — t% and t 2 —£ 3 . 

Proof. By Lemma 15.371 there are t\. t 2 with ti —>•“ t[ for i = 1,2. By Lemma 15.391 we have 
t —>•“ t\ for i = 1 , 2 . By Lemma 15.381 we have t\ = t' 2 . Take ^3 = t[ = t' 2 . We have ti —>•“ £3 for 
i = 1, 2, so ti —£3 and t 2 ^3 by Lemma 15.361 □ 

Theorem 5.41 (Normalization of the A^-calculus). 

For every t £ A°° there exists a unique s £ A°° in fIF-normal form such that t — s. 

Proof. By Lemma f5.371 there is s with t —s. It follows from definitions that s is in /3_L-normal 
form. By Lemma 15.361 we have t —s. The uniqueness of s follows from Theorem 15.401 □ 
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5.3 Strongly convergent reductions 

In this section we prove that the existence of coinductive infinitary reductions is equivalent to 
the existence of strongly convergent reductions, under certain assumptions. As a corollary, this 
also yields cu-conrpression of strongly convergent reductions, under certain assumptions. The 
equivalence proof is virtually the same as in [32]. The notion of strongly convergent reductions 
is the standard notion of infinitary reductions used in non-coinductive treatments of infinitary 
lamb da-calculus. 


Definition 5.42. On the set of infinitary lambda-terms we define a metric d by 

d(t, s) = inf{ 2 - ?l | t ln = s ln } 


where r^ n for r £ A°° is defined as the infinitary lambda-term obtained by replacing all subterms 
of r at depth n by _L. This defines a metric topology on the set of infinitary lambda-terms. Let 
R C A°° x A°° and let a be an ordinal. A map /:{/?<«}—>■ A°° together with contraction 
steps erg : f(/3) — >r f(/3 + 1) for /3 < a is a strongly convergent R-reduction sequence of length a 
from /( 0 ) to f(a) if the following conditions hold: 


1 . if 7 < a is a limit ordinal then /(y) is the limit in the metric topology on infinite terms 
of the ordinal-indexed sequence (/(/ 3 ))/ 3 < 7 , 

2. if 7 < a is a limit ordinal then for every d £ N there exists [3 < 7 such that for all f3' with 
/3 < /3' < 7 the redex contracted in the step erg/ occurs at depth greater than d. 


We write s t if S is a strongly convergent .R-reduction sequence of length a from s to t. 

A relation —>• C A°° x A°° is appendable if t\ —>-°° t 2 —> t% implies t\ —»°° £ 3 . We define —>• 200 
as the infinitary closure of . We write —>°°* for the transitive-reflexive closure of —>• 00 . 


Lemma 5.43. If —> is appendable then t\ —)-°° t .2 —>°° t% implies t\ —>°° £ 3 . 

Proof. By coinduction. This has essentially been shown in [321 Lemma 4.5]. □ 


Lemma 5.44. If —> is appendable then s —> 2o ° t implies s — t. 


Proof. By coinduction. There are three cases. 

• t = a. Then s —>• 00 * a , so s —^ a by Lemma 15.431 

• t = tit, 2 - Then there are t \, t' 2 with s —>• 00 * t\t ! 2 and t\ ~^ 2o ° ti. By Lemma 15.431 we have 
s —>-°° t,\t' 2 , so there are U\,U 2 with s —>* U 1 U 2 and Ui —*-°° t\. Then Ui —> 2o ° ti. By the 
coinductive hypothesis rq —>°° ti. Hence s —^ t\t 2 = t. 

• t = A x.r. Then by Lemma 15.431 there is s' with s —>°° A x.s' and s' — > 2o ° r. So there 
is so with s —>* Ax.so and so —^ s'. Then also so —> 2o ° r. By the coinductive hypothesis 
so —>°° r. Thus s —^°° A x.r = t. 

□ 


Theorem 5.45. For every R C A°° x A°° such that —>r is appendable, and for all s,t £ A°°, we 
have the equivalence: s —iff t iff there exists a strongly convergent R-reduction sequence from s 
to t. Moreover, if s t then the sequence may be chosen to have length at most u. 

Proof. The proof is a straightforward generalization of the proof of Theorem 3 in [32] . 

Suppose that s — t. By traversing the infinite derivation tree of s — t and accumulating 
the finite prefixes by concatenation, we obtain a reduction sequence of length at most oj which 
satisfies the depth requirement by construction. 

For the other direction, by induction on a we show that if s — t then S t, which 

suffices for S ^R t by Lemma 15.441 There are three cases. 
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a = 0. If s 


s, o 


a = /3 + 1. If s 


r t then s = f, so s 

S,p +1 


v2oo 

S',/3 


f. 


f then s — ’I-tR s' —>r t. Hence s 


>2oo 


s' by the inductive 


hypothesis. Then S ^R s ' —tR t by Lemma 15.441 So s^t because —>r is appendable. 


• a is a limit ordinal. By coinduction we show that if s ——tR t then S -t 2 jf° t. By the depth 
condition there is /3 < a such that for every 7 > (3 the redex contracted in S at 7 occurs 
at depth greater than zero. Let tp be the term at index (3 in S. Then by the inductive 
hypothesis we have s -^ 2 r° tp, and thus s —t^f tp by Lemma 15.441 There are three cases. 


— tp = a. This is impossible because then there can be no contraction of tp at depth 
greater than zero. 

s f s 

— tp = A x.r. Then t = A x.u and r — ’-tR u with 5 < a. Hence r —t^° u by the 
coinductive hypothesis if 6 = a, or by the inductive hypothesis if 5 < a. Since 
s — A x.r we obtain s —t]f° A x.u = t. 

— tp = tit. 2 - Then t = U 1 U 2 and the tail of the reduction S past (3 may be split into 

S' S' 

two parts: t{ - 1 ’-> r Ui with 5i < a for i = 0, 1. Then f* — t 2 ff° m by the inductive 
and/or the coinductive hypothesis. Since s — t^ t\t 2 we obtain s —tjf° U 1 U 2 = t. 


□ 


Corollary 5.46 (cu-compression). If —tR is appendable and there exists a strongly convergent 
R-reduction sequence from s to t then there exists such a sequence of length at most u. 

Corollary 5.47. 

• s —>^P|_ t iff there exists a strongly convergent (31.-reduction sequence from s to t. 

• s —>■/? t iff there exists a strongly convergent (3-reduction sequence from s to t. 

Proof. By Theorem 15.451 it suffices to show that —tp± and —tp are appendable. For — tp± this 
follows from Lemma 15.321 and Corollary 15.331 For —tp this follows from Lemma 15.141 □ 


54 



















References 

[1] Andreas Abel. Miniagda: Integrating sized and dependent types. In Ana Bove, Ekaterina 
Komendantskaya, and Milad Niqui, editors, PAR, volume 43 of EPTCS, pages 14-28, 2010. 

[2] Andreas Abel. Type-based termination, inflationary fixed-points, and mixed inductive- 
coinductive types. In Dale Miller and Zoltan Esik, editors, FICS, volume 77 of EPTCS, 
pages 1 11, 2012. 

[3] Andreas Abel and Brigitte Pientka. Wellfounded recursion with copatterns: a unified 
approach to termination and productivity. In Greg Morrisett and Tarmo Uustalu, editors, 
ICFP, pages 185-196. ACM, 2013. 

[4] Peter Aczel. Non-well-founded Sets. Number 14 in Lecture Notes. Center for the Study of 
Language and Information, Stanford University, 1988. 

[5] Peter Aczel and Nax Paul Mendler. A final coalgebra theorem. In David H. Pitt, David E. 
Rydeheard, Peter Dybjer, Andrew M. Pitts, and Axel Poigne, editors, Category Theory 
and Computer Science , volume 389 of Lecture Notes in Computer Science, pages 357-365. 
Springer, 1989. 

[6] Jiff Adamek and Vaclav Koubek. On the greatest fixed point of a set functor. Theoretical 
Computer Science, 150(l):57-75, 1995. 

[7] Thorsten Altenkirch. a-conversion is easy. Unpublished note, 2002. 

[8] Andre Arnold and Damian Niwinski. Rudiments of fi-calculus, volume 146 of Studies in 
Logic and the Foundations of Mathematics. Elsevier, 2001. 

[9] Steve Awodey. Category Theory. Oxford Logic Guides. Oxford University Press, 2010. 

[10] Patrick Bahr. Partial order infinitary term rewriting and Bohm trees. In Lynch [49] . pages 
67-84. 

[11] Patrick Bahr. Partial order infinitary term rewriting. Logical Methods in Computer Science, 
10(2), 2014. 

[12] Henk Barendregt and Jan Willem Klop. Applications of infinitary lambda calculus. Infor¬ 
mation and Computation, 207(5):559-582, 2009. 

[13] Henk P. Barendregt. The Lambda Calculus: Its Syntax and Semantics. North Holland, 
2nd edition, 1984. 

[14] Michael Barr. Terminal coalgebras in well-founded set theory. Theoretical Computer Sci¬ 
ence, 114(2):299-315, 1993. 

[15] Gilles Barthe, Benjamin Gregoire, and Colin Riba. A tutorial on type-based termination. 
In Ana Bove, Luis Soares Barbosa, Alberto Pardo, and Jorge Sousa Pinto, editors, LerNet 
ALFA Summer School, volume 5520 of Lecture Notes in Computer Science, pages 100-152. 
Springer, 2008. 

[16] Yves Bertot and Pierre Casteran. Interactive Theorem Proving and Program Development: 
Coq’Art: the Calculus of Inductive Constructions, chapter 13. Springer, 2004. 

[17] Marc Bezem, Keiko Nakata, and Tarmo Uustalu. On streams that are finitely red. Logical 
Methods in Computer Science, 8:1-20, 2012. 


55 


[18] Wilfried Buchholz. A term calculus for (co-)recursive definitions on streamlike data struc¬ 
tures. Annals of Pure and Applied Logic, 136(l-2):75-90, 2005. 

[19] Adam Chlipala. Certified Programming with Dependent Types, chapter 5. The MIT Press, 

2013. 

[20] Thierry Coquand. Infinite objects in type theory. In Henk Barendregt and Tobias Nipkow, 
editors, Types for Proofs and Programs, International Workshop TYPES’93, Nijmegen, 
The Netherlands, May 24-28, 1993, Selected Papers, volume 806 of Lecture Notes in Com¬ 
puter Science, pages 62-78. Springer, 1993. 

[21] Lukasz Czajka. A coinductive confluence proof for infinitary lambda-calculus. In Gilles 
Dowek, editor, Rewriting and Typed Lambda Calculi - Joint International Conference, RTA- 
TLCA 2014, Held as Part of the Vienna Summer of Logic, VSL 2014, Vienna, Austria, 
July 14-17, 2014■ Proceedings, volume 8560 of Lecture Notes in Computer Science , pages 
164-178. Springer, 2014. 

[22] Lukasz Czajka. Confluence of nearly orhtogonal infinitary term rewriting systems. In RTA 
2015, 2015. 

[23] Nils Anders Danielsson and Thorsten Altenkirch. Mixing induction and coinduction. Draft, 

2009. 

[24] Brian A. Davey and Hilary A. Priestley. Introduction to Lattices and Order. Cambridge 
University Press, 2nd edition, 2002. 

[25] N. G. de Bruijn. Lambda-calculus notation with nameless dummies: a tool for automatic 
formula manipulation with application to the Church-Rosser theorem. Indagationes Math- 
ematicae, 34(5):381—392, 1972. 

[26] Edsger W. Dijkstra. On the productivity of recursive definitions. Available at 
http://www.cs.utexas.edu/users/EWD/ewd07xx/EWD749.PDF, 1980. 

[27] Jorg Endrullis, Clemens Grabmayer, and Dimitri Hendriks. Data-oblivious stream produc¬ 
tivity. In I. Cervesato, H. Veith, and A. Voronkov, editors, LPAR 2008, volume 5530 of 
Lecture Notes in Computer Science, pages 79-96. Springer, 2008. 

[28] Jorg Endrullis, Clemens Grabmayer, Dimitri Hendriks, Ariya Isihara, and Jan Willem 
Klop. Productivity of stream definitions. Theoretical Computer Science, 411(4-5):765-782, 

2010 . 

[29] Jorg Endrullis, Helle Hvid Hansen, Dimitri Hendriks, Andrew Polonsky, and Alexan¬ 
dra Silva. A coinductive treatment of infinitary rewriting. Unpublished, available at 
http://arxiv.org/abs/1306.6224, 2013. 

[30] Jorg Endrullis, Dimitri Hendriks, and Jan Willem Klop. Highlights in infinitary rewriting 
and lambda calculus. Theoretical Computer Science, 464:48-71, 2012. 

[31] Jorg Endrullis, Dimitri Hendriks, and Jan Willem Klop. Streams are forever. Bulletin of 
the EATCS, 109:70-106, 2013. 

[32] Jorg Endrullis and Andrew Polonsky. Infinitary rewriting coinductively. In Nils Anders 
Danielsson and Bengt Nordstrom, editors, TYPES, volume 19 of LIPIcs, pages 16-27. 
Schloss Dagstuhl - Leibniz-Zentrum fur Informatik, 2011. 


56 


[33] Eduardo Gimenez. Codifying guarded definitions with recursive schemes. In Peter Dybjer, 
Bengt Nordstrom, and Jan M. Smith, editors, TYPES, volume 996 of Lecture Notes in 
Computer Science , pages 39-59. Springer, 1994. 

[34] John Hughes, Lars Pareto, and Amr Sabry. Proving the correctness of reactive systems us¬ 
ing sized types. In Hans-Juergen Boehm and Guy L. Steele Jr., editors, Conference Record 
of POPL’96: The 23rd ACM SIGPLAN-SIGACT Symposium on Principles of Program¬ 
ming Languages, Papers Presented at the Symposium, St. Petersburg Beach, Florida, USA, 
January 21-24, 1996, pages 410-423. ACM Press, 1996. 

[35] Ariya Isihara. Productivity of algorithmic systems. Proceedings of SCSS 2008, pages 81 95, 
2008. 

[36] Bart Jacobs and Jan J.M.M. Rutten. An introduction to (co)algebras and (co)induction. 
In Advanced Topics in Bisimulation and Coinduction, pages 38-99. Cambridge University 
Press, 2011. 

[37] Felix Joachimski. Confluence of the coinductive [lambda]-calculus. Theoretical Computer 
Science, 311 (1-3): 105-119, 2004. 

[38] Richard Kennaway, Jan Willem Klop, M. Ronan Sleep, and Fer-Jan de Vries. Infinitary 
lambda calculi and Bohm models. In Jieh Hsiang, editor, RTA, volume 914 of Lecture 
Notes in Computer Science, pages 257-270. Springer, 1995. 

[39] Richard Kennaway, Jan Willem Klop, M. Ronan Sleep, and Fer-Jan de Vries. Infinitary 
lambda calculus. Theoretical Computer Science, 175(1):93-125, 1997. 

[40] Richard Kennaway, Vincent van Oostrom, and Fer-Jan de Vries. Meaningless terms in 
rewriting. Journal of Functional and Logic Programming, 1:1-35, 1999. 

[41] Jeroen Ketema and Jakob Grue Simonsen. Infinitary combinatory reduction systems: Con¬ 
fluence. Logical Methods in Computer Science, 5(4), 2009. 

[42] Jeroen Ketema and Jakob Grue Simonsen. Infinitary combinatory reduction systems: Nor¬ 
malising reduction strategies. Logical Methods in Computer Science , 6(1), 2010. 

[43] Jeroen Ketema and Jakob Grue Simonsen. Infinitary combinatory reduction systems. In¬ 
formation and Computation, 209(6):893-926, 2011. 

[44] Jan Willem Klop and Roel C. de Vrijer. Infinitary normalization. In Sergei N. Artemov, 
Howard Barringer, Artur S. d’Avila Garcez, Luis C. Lamb, and John Woods, editors, We 
Will Show Them! Essays in Honour of Dov Gabbay, Volume Two, pages 169-192. College 
Publications, 2005. 

[45] Dexter Kozen and Alexandra Silva. Practical coinduction. Draft, 2014. 

[46] Alexander Kurz, Daniela Petrisan, Paula Severi, and Fer-Jan de Vries. An alpha- 
corecursion principle for the infinitary lambda-calculus. In CMCS, pages 130-149, 2012. 

[47] Alexander Kurz, Daniela Petrisan, Paula Severi, and Fer-Jan de Vries. Nominal coalgebraic 
data types with applications to lambda calculus. Logical Methods in Computer Science, 
9:1-51, 2013. 

[48] Xavier Leroy and Herve Grail. Coinductive big-step operational semantics. Information 
and Computation, 207(2):284-304, 2009. 


57 



[49] Christopher Lynch, editor. Proceedings of the 21st International Conference on Rewriting 
Techniques and Applications, RTA 2010, July 11-13, 2010, Edinburgh, Scottland, UK, 
volume 6 of LIPIcs. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 2010. 

[50] Keiko Nakata and Tarrno Uustalu. Resumptions, weak bisimilarity and big-step semantics 
for while with interactive I/O: An exercise in mixed induction-coinduction. In L. Aceto 
and P. Sobocinski, editors, Seventh Workshop on Structural Operational Semantics (SOS 
TO), pages 57-75, 2010. 

[51] Jan J.M.M. Rutten. Universal coalgebra: a theory of systems. Theoretical Computer 
Science, 249(l):3-80, 2000. 

[52] Davide Sangiorgi. Origins of bisimulation and coinduction. In Advanced Topics in Bisim¬ 
ulation and Coinduction, pages 1-37. Cambridge University Press, 2011. 

[53] Davide Sangiorgi. Introduction to Bisimulation and Coinduction. Cambridge University 
Press, 2012. 

[54] Paula Severi and Fer-Jan de Vries. An extensional Bohm model. In Sophie Tison, editor, 
RTA, volume 2378 of Lecture Notes in Computer Science, pages 159-173. Springer, 2002. 

[55] Paula Severi and Fer-Jan de Vries. Weakening the axiom of overlap in infmitary lambda 
calculus. In Manfred Schmidt-Schaufi, editor, Proceedings of the 22nd International Con¬ 
ference on Rewriting Techniques and Applications, RTA 2011, May 30 - June 1, 2011, Novi 
Sad, Serbia, volume 10 of LIPIcs, pages 313-328. Schloss Dagstuhl - Leibniz-Zentrum fuer 
Informatik, 2011. 

[56] Paula Severi and Fer-Jan de Vries. The infinitary lambda calculus of the infinite eta Bohm 
trees. Mathematical Structures in Computer Science, 2014. To appear. 

[57] Ben A. Sijtsma. On the productivity of recursive list definitions. ACM Trans. Program. 
Lang. Syst., ll(4):633-649, 1989. 

[58] Alastair Telford and David Turner. Ensuring streams flow. In Michael Johnson, editor, 
Algebraic Methodology and Software Technology, 6th International Conference, AMAST 
’97, Sydney, Australia, December 13-17, 1997, Proceedings, volume 1349 of Lecture Notes 
in Computer Science, pages 509-523. Springer, 1997. 

[59] Terese. Term Rewriting Systems, volume 55 of Cambridge Tracts in Theoretical Computer 
Science. Cambridge University Press, 2003. 

[60] James Worrell. On the final sequence of a finitary set functor. Theoretical Computer 
Science, 338(1-3):184-199, 2005. 

[61] Hans Zantema and Matthias Raffelsieper. Proving productivity in infinite data structures. 
In Lynch [49], pages 401-416. 


58 


A Extending final coalgebras to sized CPOs 


In this section we relate our method from Section HU for defining corecursive functions to the 
well-established method of finding unique morphisms into the final coalgebra of a functor. We 
show a theorem which says that for every final coalgebra in the category of sets there exists a 
“canonical” sized CPO. The proof of this theorem is an adaptation of the construction in |BJ 
Theorem 4], First, we need some background on the coalgebraic approach to coinduction. 


A.l Coalgebraic foundations of coinduction 

In this section we provide a brief overview of coalgebraic foundations of coinduction. Familiarity 
with basic category theory is assumed, in particular with the notions of functor, final object, 
cone and limit. We consider only functors in the category of sets. For an introduction to 
category theory see e.g. [9]. For more background on the coalgebraic approach to coinduction 
see e.g. [36], I5T] . 

Definition A.l. A coalgebra of an endofunctor F : Set —>• Set, or F-coalgebra, is a pair 


(A,f : AFA) 


where A is the carrier set of the coalgebra. A homomorphism, of T-coalgebras {A, f) and ( B , g) 
is a morphism h : A —>• B such that Fh o f = g o h, i.e., the following diagram commutes: 


A - 

f 

FA 


h 


-B 

g 


Fh 


FB 


A final F-coalgebra is a final object in the category of T-coalgebras and T-homomorphisms. 
The final sequence of an endofunctor F : Set —> Set is an ordinal-indexed sequence of sets 
(. A a ) a with morphisms (w~, : Ag —>• Afi), y <g uniquely defined by the conditions: 

• Ag + 1 = F(Ag), 

• w^X\ = F(w$), 

• Wg = id, 

• mg = wj o for 5 < 7 < fi, 

• if /3 is a limit ordinal then the cone (w^ : Ag —» A 1 ) 1< g is the limit of the cochain (A~ / )^ < g, 
i.e., of the diagram ({ A 1 } 1< g , (w^ : A& —> Afij^cg). 

It follows by transfinite induction that the final sequence is indeed well-defined by the given 
conditions. See e.g. [60] for the (easy) proof. 

The following two theorems were shown by Adamek and Koubek in [ 6 ]. 


Theorem A.2. Suppose the final sequence (A a ) a of F stabilizes at (, i.e., 1 is an isomor¬ 
phism. Then (A^, is a final F-coalgebra. 

Theorem A.3. If a set-functor has a final coalgebra, then its final sequence stabilizes. 
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A.2 The theorem 


The following theorem shows that for every final coalgebra in the category of sets there exists a 
“canonical” sized CPO. Moreover, it is always, in principle, possible to define any morphism into 
the final coalgebra as a unique fixpoint of an appropriate monotone endofunction. This shows 
that the method of defining corecursive functions as fixpoints of monotone endofunctions, using 
an underlying sized CPO, is fairly general. The construction in Theorem IA.4I is an adaptation 
of the construction in [3 Theorem 4], 

Theorem A.4. Let (A, t) be the final coalgebra for a set-functor T. There exists a sized CPO 
(A, £, s, cut) with Max(A) = A, such that for any set S and any function f : S —>• TS, the 
unique morphism u : S —>• A from f into the final coalgebra (A , t) is the unique fixpoint of some 
monotone endofunction F : A s —> A s satisfying 

min s(F(g)(x)) > mins(y(a;)) (1) 

x£S x€S 

for non-maximal g £ A s . 

Proof. Let {A a ) a with (wg : A a —> Ag)g< a be the final sequence of T. Since T has a final 
coalgebra, by Theorem IA.3I the final sequence stabilizes at some ordinal f. By Theorem IA.2I 
we may assume without loss of generality that (A,t) = (A^, (rt/L 1 " 1 ) -1 ) (otherwise we just need 
to compose some morphisms below with the isomorphism between A and A^). Without loss of 
generality we may identify A with {£} x A (otherwise the definition of A below just needs to be 
complicated slightly by taking the carrier set to be e.g. A U ({A} x II Q <^ A a ) and adjusting the 
definition of C accordingly). If p is a pair, then by p\ we denote the first and by p 2 the second 
component of p. Take A = (II Q ,<^A Q ,, C) with p C q iff p\ < q\ and vfp\ (q 2 ) = P 2 ■ It follows 
from the definition of the final sequence of an endofunctor that C is a partial order. 

We show that A is a CPO. The bottom of A is (0, _L) where _L is the sole element of Aq. 
Let D C A be a directed set. First, we show that D is in fact a chain. Let p,q £ D with 
Pi < Qi- Because D is directed there is r £ D with p,gCr, i.e., pi < q\ < rq, w r q 1 1 (r 2 ) = q 2 and 
w p\( r 2 ) = P 2 ■ Because w r p \ = w%\ o w q \ we have wl\(q 2 ) = Wp\(w q \(r 2 )) = w£j(r 2 ) = P 2 ■ Hence 
p F q. 

Let a be the least upper bound of D\ = {pi \ p £ D}. If there is p £ D with p\ = a, i.e., 
a £ D i is the largest element of D\, then p is the largest element of D, and thus the supremum. 
Indeed, let q £ D. Since D is a chain, q C p or p C q. If p C q then q\ = a, because p\ = a is 
the largest element of D\. But this implies q = p, because = id. 

So assume a ^ D\. Then a must be a limit ordinal. So the cone C = (wp : A a —>• Ap)p <a 
is the limit of the cochain ( Ap)p <a . Let A' a = A a U {a} where a ^ A a . We define functions 
fp : A! a —> Ap for ft < a as follows: fp(x) = Wp(x ) if x a, and fg(a) = w^z^) for the 

element £ D such that zf = 7 > (3 is smallest in {7 € D\ \ 7 > /3}. The element z@ is 
uniquely defined, because distinct elements of A with the same first components are pairwise 
incomparable, and D is a chain with elements with first components arbitrarily close to a , 
and (5 < a. We show that (fp : A' a —> Ap) is a cone over the cochain ( Ap)p <a , i.e., over the 
diagram ({Ap}p <a , (w^ : A 7 —>■ Ap)p< 1<a ). Let 7 > ft. We have w 1 p(f 1 (a)) = where 

71 > 7 and zj are such that / 7 (a) = Let fii > /3 be such that fp(a) = 

Then fi\ < 71 , so z% C z], because D is a chain. Thus so ^^(z^) = w^p(z^). 

Hence wj(f 1 (a )) = ^^(zj) = Wp 1 ^) = fp(a). For x £ A a the condition fp(x) = w 1 p(f 1 (x)) 
follows directly from definitions. Therefore (fp : A' a —> Ap)p <a is a cone, and since C is the 
limit, there exists a unique u : A' a —»• A a such that fp = Wp o u for (5 < a. We show that 
a = (a,u(a )) is the supremum of D. To prove that a is an upper bound, it suffices to show 
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that if d € D then w% (u(a)) = di- But this holds because w% (u(a)) = fdi{ a ) = <h- So 
suppose b is also an upper bound. Then so is (a, w \^ ( 62 )), hence we may assume b\ = a. Define 
v! : A' a A a by: u'(x) = u{x) if x 7 ^ a, and u'(a) = b 2 . Since (u'(a)) = (I 2 for d £ D, 

we have fp(a) = = w^(w^(u' (a))) = Wp(u'(a)) for /3 < a, where 7 = zf. This implies 

fp = wp o v! for /3 < a. Thus u' = u, because u : A' a —> A a is unique such that f f 3 = w^ o u for 
f3 < a. Hence b = a. So a is the supremum of D. Therefore, A is a CPO. 

It is clear that Max(A) = A{= {£} x A). The size function s : A —> 0n(£) is defined 

by s(x) = x\ for x £ A. It is obviously surjective. That s is continuous follows from the 

construction of supremums we have given in the previous paragraph. Of course, s(x) = £ iff 
x £ A is maximal. The cut-function cut : On(£) x A —>• A is defined by: 

• cut (a, x) = (a, wj 1 (^ 2 )) if x\ > a, 

• cut (a, x) = x otherwise. 

It follows from definitions that cut is monotone in both arguments. Therefore, (A, s, cut) is 
a sized CPO with Max(A) = A. To save on notation, from now on we confuse x £ A with x' 2 , 
using s(x) to denote the first component. 

Let S' be a set and let f : S —>• TS. Suppose u : S —> A is the unique morphism from / into 
the final coalgebra (. A,t ). For g : S —>• A define m(g) = min x ^s s(g(x)), and define g* : S —> A 
by g*(x) = \g(x)) for ieA. Note that g* : S -7 so Tg* :TS ^ A m(s)+1 , and if 

m (<?) = C then g* = g. Let F : A 5 — > A s be defined by 


Tg* of 


t 1 o Tg o f 


if m{g) < C 
otherwise 


F(g) = 

for g £ A s . For non-maximal g £ A s we have m(g) < and thus 


minF(g)(x) = min Tg*(f(x)) = m(g) + 1 > m(g) = min(s(g , (x))) 
xGS x£S x£S 


so m is satisfied. We show that F is monotone. So let g,h £ A s with g C h, i.e., g(x) C h{x) 
for all x £ S. Then m(g ) < m(h). We may assume m(g) < because if m(g) = m(h) = ( then 
g = h. We have g*(x) C h*(x) for all x £ S. Indeed, for x £ S we have g(x) = (h(x)) 

and thus 


g*(x) = 


,Ag(x)) 

U m(g) 

,Xg(x)) 


wAIA (g(x)) 


_ w m \ h ) (n.A^ X )) ( 


KJi) W*))) 

<$(**(*))■ 


m(g) 

m(/i) , 


O * TYlill) 1 * l 1 m * rji TTl(h') rri 1 * ttt i rjn 777,(/l) 777.(^)-|-l 

bo o = o n , and hence 1 q = 1 w) { o In . We have i ic ) { = . , , 

r( 9 ) = iy o / = o rv o / = ur$+; o th •»/. 


SO 


If m(/i) < C then this implies F(g) = o F(h), so F(g) C F(h). If m(h) = C then 

F (5) = u ££)+i oTho f = wC m(g)+ 1 ° ™c +1 °Thof = w Q m(g)+1 O F(/i) because = ^ +1 . So 
then also F(g) C F(h). Therefore F is monotone. 

It remains to show that u is the unique fixpoint of F. Let v be a fixpoint of F. By (jT]) we 
must have v £ A 5 . Then F(v) = t _1 oTvo f, so t _1 oTvo f = v. This implies Tvof = toy, so v 
is a morphism from the coalgebra ( S,f) into the final coalgebra (A,t). Therefore v = u. □ 
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